Date: Mon, 12 Mar 2018 20:59:01 +0100 From: Ivan Radovanovic <radovanovic@gmail.com> To: freebsd-hackers@freebsd.org Subject: About setgid, setgroups and supplemental groups Message-ID: <f0828127-baf3-e1c7-ef02-4b90c7513c68@gmail.com>
next in thread | raw e-mail | index | archive | help
I was working on simple program which should drop some (ordinary) user privileges and complete its work while keeping permissions of only one group user is in, when I discovered that FreeBSD doesn't actually behave the way I expected (actually I didn't find way to achieve this at all in FreeBSD). The problem is: - there is user A, member of groups B, C, D. Program should run with credentials of only group C (A != root). I expected that setgid(2) would always succeed for root, and succeed for ordinary user if user was member of requested group, but I kept getting EPERM. While checking documentation I found to my surprise that setgid behaves exactly like setuid(2) (normal user can switch only to his primary group, superuser can do whatever he wants). Also from documentation is very difficult to understand what is exact relation between setgroups(2) and setgid(2) on FreeBSD (if any), for example Linux manual pages say explicitly that setgid has no interaction whatsoever with supplemental groups, while AIX manual pages explicitly say that user is allowed to setgid to any of his supplemental groups (so obviously both approaches are in use). Documentation for setgroups(2) explicitly states that only root can use it, so apparently normal user can't use it to restrict group permissions for running program. I would be very grateful if somebody could explain why it was chosen not to allow setgid to other real user's groups (sounds like illogical thing to do), or if there is some other mechanism to achieve the same in FreeBSD (preferably completely in code, without playing with file permissions). Kind regards, Ivan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f0828127-baf3-e1c7-ef02-4b90c7513c68>