Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-133651 / 25.04 / Reduce situations in which hard-coded root privilege returned #15430

Merged
merged 1 commit into from
Jan 20, 2025
Merged

NAS-133651 / 25.04 / Reduce situations in which hard-coded root privilege returned #15430

merged 1 commit into from
Jan 20, 2025

Conversation

anodos325
Copy link
Contributor

We should only return the wildcard allowlist when the root unix domain socket session is not created by an interactive shell session. This is achieved by storing the loginuid for the middleware client pid and checking as part of the check_permission call.

This ensures that STIG restrictions are properly evaluated for users who use midclt, midcli, etc from shell.

@anodos325 anodos325 added the jira label Jan 18, 2025
@anodos325 anodos325 requested a review from a team January 18, 2025 20:23
@bugclerk bugclerk changed the title Reduce situations in which hard-coded root privilege returned NAS-133651 / 25.04 / Reduce situations in which hard-coded root privilege returned Jan 18, 2025
@bugclerk
Copy link
Contributor

Jira URL: https://ixsystems.atlassian.net/browse/NAS-133651

@anodos325
Reduce situations in which hard-coded root privilege returned
b620c2e 
We should only return the wildcard allowlist when the root
unix domain socket session is not created by an interactive
shell session. This is achieved by storing the loginuid for
the middleware client pid and checking as part of the
check_permission call.

This ensures that STIG restrictions are properly evaluated for
users who use midclt, midcli, etc from shell.
@anodos325 anodos325 force-pushed the reduce-root-privilege branch from 066828c to b620c2e Compare January 20, 2025 20:16
@anodos325 anodos325 merged commit 14bbe82 into master Jan 20, 2025
2 checks passed
@anodos325 anodos325 deleted the reduce-root-privilege branch January 20, 2025 20:27
@bugclerk
Copy link
Contributor

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators Jan 20, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bmeagherix bmeagherix bmeagherix approved these changes

@mgrimesix mgrimesix Awaiting requested review from mgrimesix

Assignees
No one assigned
Labels
jira no-time-tracked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anodos325 @bugclerk @bmeagherix