D40635.1777083992.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D40635.1777083992.diff
View Options

	diff --git a/share/man/man9/cr_canseeotheruids.9 b/share/man/man9/cr_canseeotheruids.9
	--- a/share/man/man9/cr_canseeotheruids.9
	+++ b/share/man/man9/cr_canseeotheruids.9
	@@ -1,5 +1,6 @@
	.\"
	.\" Copyright (c) 2003 Joseph Koshy <jkoshy@FreeBSD.org>
	+.\" Copyright (c) 2023 Olivier Certner <olce.freebsd@certner.fr>
	.\"
	.\" All rights reserved.
	.\"
	@@ -25,56 +26,54 @@
	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	.\"
	-.Dd November 11, 2003
	+.Dd August 18, 2023
	.Dt CR_CANSEEOTHERUIDS 9
	.Os
	.Sh NAME
	.Nm cr_canseeotheruids
	-.Nd determine visibility of objects given their user credentials
	+.Nd determine if subjects may see entities with differing user ID
	.Sh SYNOPSIS
	.Ft int
	.Fn cr_canseeotheruids "struct ucred u1" "struct ucred u2"
	.Sh DESCRIPTION
	-This function determines the visibility of objects in the
	-kernel based on the real user IDs in the credentials
	+.Bf -emphasis
	+This function is internal.
	+Its functionality is integrated into the function
	+.Xr cr_bsd_visible 9 ,
	+which should be called instead.
	+.Ef
	+.Pp
	+This function checks if a subject associated to credentials
	.Fa u1
	-and
	+is denied seeing a subject or object associated to credentials
	.Fa u2
	-associated with them.
	+by a policy that requires both credentials to have the same real user ID.
	.Pp
	-The visibility of objects is influenced by the
	+This policy is active if and only if the
	.Xr sysctl 8
	variable
	-.Va security.bsd.see_other_uids .
	-If this variable is non-zero then all objects in the kernel
	-are visible to each other irrespective of their user IDs.
	-If this variable is zero then the object with credentials
	-.Fa u2
	-is visible to the object with credentials
	-.Fa u1
	-if either
	-.Fa u1
	-is the super-user credential, or if
	-.Fa u1
	-and
	-.Fa u2
	-have the same real user ID.
	-.Sh SYSCTL VARIABLES
	-.Bl -tag -width indent
	-.It Va security.bsd.see_other_uids
	-Must be non-zero if objects with unprivileged credentials are to be
	-able to see each other.
	-.El
	+.Va security.bsd.see_other_uids
	+is set to zero.
	+.Pp
	+As usual, the superuser (effective user ID 0) is exempt from this policy
	+provided that the
	+.Xr sysctl 8
	+variable
	+.Va security.bsd.suser_enabled
	+is non-zero and no active MAC policy explicitly denies the exemption
	+.Po
	+see
	+.Xr priv_check_cred 9
	+.Pc .
	.Sh RETURN VALUES
	-This function returns zero if the object with credential
	+The
	+.Fn cr_canseeotheruids
	+function returns 0 if the policy is disabled, both credentials have the same
	+real user ID, or if
	.Fa u1
	-can
	-.Dq see
	-the object with credential
	-.Fa u2 ,
	-or
	-.Er ESRCH
	-otherwise.
	+has privilege exempting it from the policy.
	+Otherwise, it returns
	+.Er ESRCH .
	.Sh SEE ALSO
	-.Xr cr_canseeothergids 9 ,
	-.Xr p_candebug 9
	+.Xr cr_bsd_visible 9 ,
	+.Xr priv_check_cred 9

File Metadata

Mime Type: text/plain
Expires: Sat, Apr 25, 2:26 AM (5 h, 17 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 28425611
Default Alt Text: D40635.1777083992.diff (2 KB)

D40635.1777083992.diffNo OneTemporaryActions

D40635.1777083992.diffView Options

File Metadata

Event Timeline

D40635.1777083992.diff
No OneTemporary
Actions

D40635.1777083992.diff
View Options