| #
7937bfbc |
| 28-Oct-2024 |
Li-Wen Hsu <lwhsu@FreeBSD.org> |
mac_do(4): Enhance GID rule validation to check all groups in cr_groups
Previously, the rule validation only checked the primary GID (cr_gid).
This caused issues when applying GID-based rules, as us
mac_do(4): Enhance GID rule validation to check all groups in cr_groups
Previously, the rule validation only checked the primary GID (cr_gid).
This caused issues when applying GID-based rules, as users with matching
secondary groups were not considered valid. This patch modifies both
functions to iterate through all groups in cr_groups to ensure all group
memberships are considered when validating GID-based rules.
For example, a user's primary group is staff (20) and they are also in
the wheel (0) group, this change allows the rule gid=0:any to enable
them to run commands as any user.
Reviewed by: delphij (earlier version), bapt
Differential Revision: https://reviews.freebsd.org/D47304
show more ...
|
| #
8aac90f1 |
| 10-May-2024 |
Baptiste Daroussin <bapt@FreeBSD.org> |
mac_do: add a new MAC/do policy and mdo(1) utility
This policy enables a user to become another user without having to be
root (hence no setuid binary). it is configured via rules using sysctl
secur
mac_do: add a new MAC/do policy and mdo(1) utility
This policy enables a user to become another user without having to be
root (hence no setuid binary). it is configured via rules using sysctl
security.mac.do.rules
For example:
security.mac.do.rules=uid=1001:80,gid=0:any
The above rule means the user identifier by the uid 1001 is able to
become user 80
Any user of the group 0 are allowed to become any user on the system.
The mdo(1) utility expects the MAC/do policy to be installed and its
rules defined.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D45145
show more ...
|