Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
fix the setusercontext(3) workaround #23
Seeing this being used on even more system like Illumos with this ugly
I reported it directly to the maintainer in 2017. I reported it to
Seeing this being used on even more system like Illumos with this ugly and security critical bug open makes me cringe every time I check if it was finally fixed. I reported it directly to the maintainer in 2017. I reported it to firstname.lastname@example.org without a response.
doas uses setusercontext(3) with the
This means your doas port does not drop the groups of the executing user.
The whole point I make is that this is wrong. Both openbsd doas and sudo change the group ids and making this port differ from this behavior without documenting and warning users is very very bad.
I have a point of contention with the overall view. One being that I'm not sure this qualifies as a security concern. Having the group of the calling user is arguably expected, or at least certainly useful. However, I can see why, in some cases it would also be dangerous. I'm going to commit this patch and test it. Thank you for putting it together.
On a side note, I'd like to point out that my testing shows this issue, keeping the group of the original user, appears to only affect Linux. On FreeBSD group permissions were already dropped, as they were on OpenBSD, and (I think) NetBSD. Linux was the odd one out for keeping the calling user's groups. And I think this patch is worthwhile to bring Linux into the fold so it is no longer an exception.