xref: /freebsd/share/man/man9/cr_canseeothergids.9 (revision bdcbfde31e8e9b343f113a1956384bdf30d1ed62)
1.\"
2.\" Copyright (c) 2003 Joseph Koshy <jkoshy@FreeBSD.org>
3.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr>
4.\"
5.\" All rights reserved.
6.\"
7.\" This program is free software.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\"    notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\"    notice, this list of conditions and the following disclaimer in the
16.\"    documentation and/or other materials provided with the distribution.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
19.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
22.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28.\"
29.Dd August 18, 2023
30.Dt CR_CANSEEOTHERGIDS 9
31.Os
32.Sh NAME
33.Nm cr_canseeothergids
34.Nd determine if subjects may see entities in a disjoint group set
35.Sh SYNOPSIS
36.Ft int
37.Fn cr_canseeothergids "struct ucred *u1" "struct ucred *u2"
38.Sh DESCRIPTION
39.Bf -emphasis
40This function is internal.
41Its functionality is integrated into the function
42.Xr cr_bsd_visible 9 ,
43which should be called instead.
44.Ef
45.Pp
46This function checks if a subject associated to credentials
47.Fa u1
48is denied seeing a subject or object associated to credentials
49.Fa u2
50by a policy that requires both credentials to have at least one group in common.
51For this determination, the real and supplementary group IDs are used, but
52not the effective group IDs, as per
53.Xr realgroupmember 9 .
54.Pp
55This policy is active if and only if the
56.Xr sysctl 8
57variable
58.Va security.bsd.see_other_gids
59is set to zero.
60.Pp
61As usual, the superuser (effective user ID 0) is exempt from this policy
62provided that the
63.Xr sysctl 8
64variable
65.Va security.bsd.suser_enabled
66is non-zero and no active MAC policy explicitly denies the exemption
67.Po
68see
69.Xr priv_check_cred 9
70.Pc .
71.Sh RETURN VALUES
72The
73.Fn cr_canseeothergids
74function returns 0 if the policy is disabled, the credentials share at least one
75common group, or if
76.Fa u1
77has privilege exempting it from the policy.
78Otherwise, it returns
79.Er ESRCH .
80.Sh SEE ALSO
81.Xr cr_bsd_visible 9 ,
82.Xr realgroupmember 9 ,
83.Xr priv_check_cred 9
84