1.\" 2.\" Copyright (c) 2003 Joseph Koshy <jkoshy@FreeBSD.org> 3.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr> 4.\" 5.\" All rights reserved. 6.\" 7.\" This program is free software. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28.\" 29.Dd August 18, 2023 30.Dt CR_CANSEEOTHERGIDS 9 31.Os 32.Sh NAME 33.Nm cr_canseeothergids 34.Nd determine if subjects may see entities in a disjoint group set 35.Sh SYNOPSIS 36.Ft int 37.Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2" 38.Sh DESCRIPTION 39.Bf -emphasis 40This function is internal. 41Its functionality is integrated into the function 42.Xr cr_bsd_visible 9 , 43which should be called instead. 44.Ef 45.Pp 46This function checks if a subject associated to credentials 47.Fa u1 48is denied seeing a subject or object associated to credentials 49.Fa u2 50by a policy that requires both credentials to have at least one group in common. 51For this determination, the real and supplementary group IDs are used, but 52not the effective group IDs, as per 53.Xr realgroupmember 9 . 54.Pp 55This policy is active if and only if the 56.Xr sysctl 8 57variable 58.Va security.bsd.see_other_gids 59is set to zero. 60.Pp 61As usual, the superuser (effective user ID 0) is exempt from this policy 62provided that the 63.Xr sysctl 8 64variable 65.Va security.bsd.suser_enabled 66is non-zero and no active MAC policy explicitly denies the exemption 67.Po 68see 69.Xr priv_check_cred 9 70.Pc . 71.Sh RETURN VALUES 72The 73.Fn cr_canseeothergids 74function returns 0 if the policy is disabled, the credentials share at least one 75common group, or if 76.Fa u1 77has privilege exempting it from the policy. 78Otherwise, it returns 79.Er ESRCH . 80.Sh SEE ALSO 81.Xr cr_bsd_visible 9 , 82.Xr priv_check_cred 9 , 83.Xr realgroupmember 9 84