From owner-svn-src-all@freebsd.org Tue Jan 23 22:18:47 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00C3CECB0AE; Tue, 23 Jan 2018 22:18:47 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CEC0C721C9; Tue, 23 Jan 2018 22:18:46 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2A7311488F; Tue, 23 Jan 2018 22:18:46 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0NMIkK2089845; Tue, 23 Jan 2018 22:18:46 GMT (envelope-from mckusick@FreeBSD.org) Received: (from mckusick@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0NMIjV3089843; Tue, 23 Jan 2018 22:18:45 GMT (envelope-from mckusick@FreeBSD.org) Message-Id: <201801232218.w0NMIjV3089843@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mckusick set sender to mckusick@FreeBSD.org using -f From: Kirk McKusick Date: Tue, 23 Jan 2018 22:18:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r328304 - in head/lib/libc: gen sys X-SVN-Group: head X-SVN-Commit-Author: mckusick X-SVN-Commit-Paths: in head/lib/libc: gen sys X-SVN-Commit-Revision: 328304 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2018 22:18:47 -0000 Author: mckusick Date: Tue Jan 23 22:18:45 2018 New Revision: 328304 URL: https://svnweb.freebsd.org/changeset/base/328304 Log: In the C library, the setting up of the group array by various utilities is done by calling gr_addgid() for each group to be added (usually found by traversing /etc/group) then calling the setgroups() system call after the group set has been created. The gr_addgid() function (helpfully?) deduplicates the addition of group members. So, if you call it to add a group member that already exists, it is just dropped. Because group[0] is the effective group-ID and is over-written when a setgid program is run, The value in group[0] is usually duplicated so that group value is not lost when a setgid program is run. Historically this happened because the group value indicated in the password file also appears in /etc/group (e.g., if you are group staff in the password file, you will also appear in the staff line in /etc/group). But, with the addition of the deduplication, the attempt to add group staff was lost because it already appeared in group[0]. So, the fix is to deduplicate starting from group[1] which allows a duplicate of the entry in group[0], but not in later entries. There is some confusion about the setgroups system call because in BSD it has (always) set the entire group including the egid group (in group[0]). However, in Linux, it skips over group[0] and starts setting from group[1]. See this comment from linux_setgroups: /* * cr_groups[0] holds egid. Setting the whole set from * the supplied set will cause egid to be changed too. * Keep cr_groups[0] unchanged to prevent that. */ To make it clear what the BSD setgroups system call does, I added the following paragraph to the setgroups(2) manual page: The first entry of the group array (gidset[0]) is used as the effective group-ID for the process. This entry is over-written when a setgid program is run. To avoid losing access to the privileges of the gidset[0] entry, it should be duplicated later in the group array. By convention, this happens because the group value indicated in the password file also appears in /etc/group. The group value in the password file is placed in gidset[0] and that value then gets added a second time when the /etc/group file is scanned to create the group set. Reported by: Paul McMath paulm at tetrardus.net Reviewed by: kib MFC after: 2 weeks Modified: head/lib/libc/gen/getgrent.c head/lib/libc/sys/setgroups.2 Modified: head/lib/libc/gen/getgrent.c ============================================================================== --- head/lib/libc/gen/getgrent.c Tue Jan 23 21:36:26 2018 (r328303) +++ head/lib/libc/gen/getgrent.c Tue Jan 23 22:18:45 2018 (r328304) @@ -436,7 +436,7 @@ gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *g { int ret, dupc; - for (dupc = 0; dupc < MIN(maxgrp, *grpcnt); dupc++) { + for (dupc = 1; dupc < MIN(maxgrp, *grpcnt); dupc++) { if (groups[dupc] == gid) return 1; } Modified: head/lib/libc/sys/setgroups.2 ============================================================================== --- head/lib/libc/sys/setgroups.2 Tue Jan 23 21:36:26 2018 (r328303) +++ head/lib/libc/sys/setgroups.2 Tue Jan 23 22:18:45 2018 (r328304) @@ -56,6 +56,23 @@ more than .Dv {NGROUPS_MAX}+1 . .Pp Only the super-user may set a new group list. +.Pp +The first entry of the group array +.Pq Va gidset[0] +is used as the effective group-ID for the process. +This entry is over-written when a setgid program is run. +To avoid losing access to the privileges of the +.Va gidset[0] +entry, it should be duplicated later in the group array. +By convention, +this happens because the group value indicated +in the password file also appears in +.Pa /etc/group . +The group value in the password file is placed in +.Va gidset[0] +and that value then gets added a second time when the +.Pa /etc/group +file is scanned to create the group set. .Sh RETURN VALUES .Rv -std setgroups .Sh ERRORS