mac_seeotheruids: allow specificgid to be a list of groups
The specificgid functionality has historically allowed only a single group to be exempt, but in practice one might want a few services to be exempt for reasons. From a security perspective, we probably don't want to encourage unrelated users to be grouped together solely for this purpose, as that creates one point of shared access that could be used for nefarious purposes. Normalize the group list as we do cr_groups to allow for linear matching rather than quadratic, we just need to account for the differences in FreeBSD 15.0+ where cr_groups is entirely supplementary groups vs. earlier versions, where cr_groups[0] is the egid and the rest is sorted. Reviewed by: csjp, des (earlier version) Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D56592
This commit is contained in:
@@ -28,7 +28,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd July 25, 2015
|
||||
.Dd Februrary 26, 2026
|
||||
.Dt MAC_SEEOTHERUIDS 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -80,7 +80,7 @@ set the sysctl OID
|
||||
.Va security.mac.seeotheruids.specificgid_enabled
|
||||
to 1, and
|
||||
.Va security.mac.seeotheruids.specificgid
|
||||
to the group ID to be exempted.
|
||||
to the list of group IDs to be exempted.
|
||||
.Ss Label Format
|
||||
No labels are defined for
|
||||
.Nm .
|
||||
|
||||
Reference in New Issue
Block a user