https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271750
--- Comment #1 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=892654fe9b5a9115815c30a423b8db47185aebbd commit 892654fe9b5a9115815c30a423b8db47185aebbd Author: Olivier Certner <[email protected]> AuthorDate: 2023-05-30 16:35:08 +0000 Commit: Ed Maste <[email protected]> CommitDate: 2023-10-10 01:47:10 +0000 setusercontext(): Apply personal settings only on matching effective UID Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal to getuid() before calling setlogincontext(). Doing so still allows a setuid program to apply resource limits and priorities specified in a user-controlled configuration file ('~/.login_conf') where a non-setuid program could not. Plug the hole by checking instead that the process' effective UID is the target one (which is likely what was meant in the initial commit). PR: 271750 Reviewed by: kib, des MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40351 lib/libutil/login_class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- You are receiving this mail because: You are the assignee for the bug.
