1c59ab75cSOlivier Certner.\" 2c59ab75cSOlivier Certner.\" Copyright (c) 2003 Joseph Koshy <jkoshy@FreeBSD.org> 33fe9ea4dSOlivier Certner.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr> 4c59ab75cSOlivier Certner.\" 5c59ab75cSOlivier Certner.\" All rights reserved. 6c59ab75cSOlivier Certner.\" 7c59ab75cSOlivier Certner.\" This program is free software. 8c59ab75cSOlivier Certner.\" 9c59ab75cSOlivier Certner.\" Redistribution and use in source and binary forms, with or without 10c59ab75cSOlivier Certner.\" modification, are permitted provided that the following conditions 11c59ab75cSOlivier Certner.\" are met: 12c59ab75cSOlivier Certner.\" 1. Redistributions of source code must retain the above copyright 13c59ab75cSOlivier Certner.\" notice, this list of conditions and the following disclaimer. 14c59ab75cSOlivier Certner.\" 2. Redistributions in binary form must reproduce the above copyright 15c59ab75cSOlivier Certner.\" notice, this list of conditions and the following disclaimer in the 16c59ab75cSOlivier Certner.\" documentation and/or other materials provided with the distribution. 17c59ab75cSOlivier Certner.\" 18c59ab75cSOlivier Certner.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 19c59ab75cSOlivier Certner.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20c59ab75cSOlivier Certner.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21c59ab75cSOlivier Certner.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 22c59ab75cSOlivier Certner.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23c59ab75cSOlivier Certner.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24c59ab75cSOlivier Certner.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25c59ab75cSOlivier Certner.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26c59ab75cSOlivier Certner.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27c59ab75cSOlivier Certner.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28c59ab75cSOlivier Certner.\" 293fe9ea4dSOlivier Certner.Dd August 18, 2023 30c59ab75cSOlivier Certner.Dt CR_CANSEEOTHERGIDS 9 31c59ab75cSOlivier Certner.Os 32c59ab75cSOlivier Certner.Sh NAME 33c59ab75cSOlivier Certner.Nm cr_canseeothergids 343fe9ea4dSOlivier Certner.Nd determine if subjects may see entities in a disjoint group set 35c59ab75cSOlivier Certner.Sh SYNOPSIS 36c59ab75cSOlivier Certner.Ft int 37c59ab75cSOlivier Certner.Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2" 38c59ab75cSOlivier Certner.Sh DESCRIPTION 393fe9ea4dSOlivier Certner.Bf -emphasis 403fe9ea4dSOlivier CertnerThis function is internal. 413fe9ea4dSOlivier CertnerIts functionality is integrated into the function 423fe9ea4dSOlivier Certner.Xr cr_bsd_visible 9 , 433fe9ea4dSOlivier Certnerwhich should be called instead. 443fe9ea4dSOlivier Certner.Ef 45c59ab75cSOlivier Certner.Pp 463fe9ea4dSOlivier CertnerThis function checks if a subject associated to credentials 473fe9ea4dSOlivier Certner.Fa u1 483fe9ea4dSOlivier Certneris denied seeing a subject or object associated to credentials 493fe9ea4dSOlivier Certner.Fa u2 503fe9ea4dSOlivier Certnerby a policy that requires both credentials to have at least one group in common. 510452dd84SOlivier CertnerFor this determination, the real and supplementary group IDs are used, but 520452dd84SOlivier Certnernot the effective group IDs, as per 530452dd84SOlivier Certner.Xr realgroupmember 9 . 543fe9ea4dSOlivier Certner.Pp 553fe9ea4dSOlivier CertnerThis policy is active if and only if the 56c59ab75cSOlivier Certner.Xr sysctl 8 57c59ab75cSOlivier Certnervariable 583fe9ea4dSOlivier Certner.Va security.bsd.see_other_gids 593fe9ea4dSOlivier Certneris set to zero. 603fe9ea4dSOlivier Certner.Pp 613fe9ea4dSOlivier CertnerAs usual, the superuser (effective user ID 0) is exempt from this policy 623fe9ea4dSOlivier Certnerprovided that the 633fe9ea4dSOlivier Certner.Xr sysctl 8 643fe9ea4dSOlivier Certnervariable 653fe9ea4dSOlivier Certner.Va security.bsd.suser_enabled 663fe9ea4dSOlivier Certneris non-zero and no active MAC policy explicitly denies the exemption 673fe9ea4dSOlivier Certner.Po 683fe9ea4dSOlivier Certnersee 693fe9ea4dSOlivier Certner.Xr priv_check_cred 9 703fe9ea4dSOlivier Certner.Pc . 71c59ab75cSOlivier Certner.Sh RETURN VALUES 723fe9ea4dSOlivier CertnerThe 733fe9ea4dSOlivier Certner.Fn cr_canseeothergids 743fe9ea4dSOlivier Certnerfunction returns 0 if the policy is disabled, the credentials share at least one 753fe9ea4dSOlivier Certnercommon group, or if 76c59ab75cSOlivier Certner.Fa u1 773fe9ea4dSOlivier Certnerhas privilege exempting it from the policy. 783fe9ea4dSOlivier CertnerOtherwise, it returns 793fe9ea4dSOlivier Certner.Er ESRCH . 80c59ab75cSOlivier Certner.Sh SEE ALSO 813fe9ea4dSOlivier Certner.Xr cr_bsd_visible 9 , 82*6e1fc011SGraham Percival.Xr priv_check_cred 9 , 83*6e1fc011SGraham Percival.Xr realgroupmember 9 84