https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271750
--- Comment #2 from [email protected] --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ede6fd06726c02e9d2a5c47ac8cf80d8aaec5a70 commit ede6fd06726c02e9d2a5c47ac8cf80d8aaec5a70 Author: Olivier Certner <[email protected]> AuthorDate: 2023-05-30 16:35:08 +0000 Commit: Ed Maste <[email protected]> CommitDate: 2023-10-24 00:57:11 +0000 setusercontext(): Apply personal settings only on matching effective UID Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal to getuid() before calling setlogincontext(). Doing so still allows a setuid program to apply resource limits and priorities specified in a user-controlled configuration file ('~/.login_conf') where a non-setuid program could not. Plug the hole by checking instead that the process' effective UID is the target one (which is likely what was meant in the initial commit). PR: 271750 Reviewed by: kib, des MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40351 (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd) lib/libutil/login_class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- You are receiving this mail because: You are the assignee for the bug.
