blob: 60dd82af777f0ada5999f8df50391f47fee40ca8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
<table class="head">
<tr>
<td class="head-ltitle">CR_CANSEEOTHERGIDS(9)</td>
<td class="head-vol">Kernel Developer's Manual</td>
<td class="head-rtitle">CR_CANSEEOTHERGIDS(9)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">cr_canseeothergids</code> —
<span class="Nd">determine if subjects may see entities in a disjoint group
set</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><var class="Ft">int</var>
<br/>
<code class="Fn">cr_canseeothergids</code>(<var class="Fa" style="white-space: nowrap;">struct
ucred *u1</var>, <var class="Fa" style="white-space: nowrap;">struct ucred
*u2</var>);</p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<div class="Bf Em">This function is internal. Its functionality is integrated
into the function <a class="Xr">cr_bsd_visible(9)</a>, which should be called
instead.</div>
<p class="Pp">This function checks if a subject associated to credentials
<var class="Fa">u1</var> is denied seeing a subject or object associated to
credentials <var class="Fa">u2</var> by a policy that requires both
credentials to have at least one group in common. For this determination,
the real and supplementary group IDs are used, but not the effective group
IDs, as per <a class="Xr">realgroupmember(9)</a>.</p>
<p class="Pp">This policy is active if and only if the
<a class="Xr">sysctl(8)</a> variable
<var class="Va">security.bsd.see_other_gids</var> is set to zero.</p>
<p class="Pp">As usual, the superuser (effective user ID 0) is exempt from this
policy provided that the <a class="Xr">sysctl(8)</a> variable
<var class="Va">security.bsd.suser_enabled</var> is non-zero and no active
MAC policy explicitly denies the exemption (see
<a class="Xr">priv_check_cred(9)</a>).</p>
</section>
<section class="Sh">
<h1 class="Sh" id="RETURN_VALUES"><a class="permalink" href="#RETURN_VALUES">RETURN
VALUES</a></h1>
<p class="Pp">The <code class="Fn">cr_canseeothergids</code>() function returns
0 if the policy is disabled, the credentials share at least one common
group, or if <var class="Fa">u1</var> has privilege exempting it from the
policy. Otherwise, it returns <code class="Er">ESRCH</code>.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">cr_bsd_visible(9)</a>,
<a class="Xr">priv_check_cred(9)</a>,
<a class="Xr">realgroupmember(9)</a></p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">August 18, 2023</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
