https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271750
--- Comment #3 from [email protected] --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=9fcf54d3750e379868e51e4aa7fbf696877ab2ed commit 9fcf54d3750e379868e51e4aa7fbf696877ab2ed Author: Olivier Certner <[email protected]> AuthorDate: 2023-05-30 16:35:08 +0000 Commit: Olivier Certner <[email protected]> CommitDate: 2023-12-21 13:39:03 +0000 setusercontext(): Apply personal settings only on matching effective UID Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal to getuid() before calling setlogincontext(). Doing so still allows a setuid program to apply resource limits and priorities specified in a user-controlled configuration file ('~/.login_conf') where a non-setuid program could not. Plug the hole by checking instead that the process' effective UID is the target one (which is likely what was meant in the initial commit). PR: 271750 Reviewed by: kib, des Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40351 (cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd) Approved by: markj (mentor) lib/libutil/login_class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- You are receiving this mail because: You are the assignee for the bug.
