From owner-freebsd-hackers@freebsd.org Mon Mar 12 19:59:05 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F8C0F3F4FC for ; Mon, 12 Mar 2018 19:59:05 +0000 (UTC) (envelope-from radovanovic@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DBBB76E25E for ; Mon, 12 Mar 2018 19:59:04 +0000 (UTC) (envelope-from radovanovic@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id x7so18508850wmc.0 for ; Mon, 12 Mar 2018 12:59:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=t9048iCHp6dqXEGct2THS7BazJqRVTu7/bih4hWBj6A=; b=td2IR4pWuvUl41ZuBJ2BB1Txurr2qe/ACzr0Tra7iOliF+uMyuSi+V5wJIleQp2xT8 w+BKgVWOvWjPpvZlbqrRxda372E/+ByTv8s0+DQvRUBn3+184GtSBlW9Mfq0ucwU5nDA V9vc5veJQofRQUfdCS/WvNky+BIO0LgB5KjxKRDv6zs/7yxhFwQkv8JY05conemq8wuC 5jnaziZruzJXH7bhnORLeYs+WLgJQAPAJiXaCcBCmnHX+s2W0+sRj37mOlyz/QPSeNIo w68aGylXQO4gdZ42dNLA0DjrH3E64QpME8lc1cVtGWSiJbKJ2T0BrhxL1YTmGXyD4NDe cLSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=t9048iCHp6dqXEGct2THS7BazJqRVTu7/bih4hWBj6A=; b=qA6SmxtxIEREGD/wsJ3vsEUrAcrlqcW08nReMtwfHVgl168wcHDgKiEgbnyX/V1qaW goW5bTrV7ENASDKVfLQcXjEcO9oC3fYGCGn3A2IpKSurRGyfJt7POKDELX70ecnxMnir eSZWwfs60/6GVCczWoKIcYY+l9R8Ad49DIqDtgV1+2tfi7VOq/kcmks/QUwH8zBtfuVN ZfHG1wbbdFMXJfRCatRtoYfsAOT8dGE2Gr3VzZpzwNWdTfH6WgDylx/Oa5JMJe555vy6 7Bz+556xXX73DPLXOzCpJEHnhFDJ/gSb9D8CHYOCyO6V3z0oVFUX+tLSLiqJaia4iJr8 6HVA== X-Gm-Message-State: AElRT7HjAQEd8zrDCX+7uenHerJt3lyMfH913kt3whRrhmv4KOhKbMcJ Hwnhnxze3ndOo6w7pkHtZ1WV1A== X-Google-Smtp-Source: AG47ELuqceNIxJdEP5MSkh6RPkl9oqwgnp7AseBTGKxvp4xYh6PR6f5RVgU1a2Xya+VkS1UKK6CvaQ== X-Received: by 10.28.92.208 with SMTP id q199mr6236384wmb.91.1520884743678; Mon, 12 Mar 2018 12:59:03 -0700 (PDT) Received: from zmaj.softwarehood.com ([178.220.209.186]) by smtp.googlemail.com with ESMTPSA id m9sm3825430wrg.79.2018.03.12.12.59.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Mar 2018 12:59:03 -0700 (PDT) To: freebsd-hackers@freebsd.org From: Ivan Radovanovic Subject: About setgid, setgroups and supplemental groups Message-ID: Date: Mon, 12 Mar 2018 20:59:01 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2018 19:59:05 -0000 I was working on simple program which should drop some (ordinary) user privileges and complete its work while keeping permissions of only one group user is in, when I discovered that FreeBSD doesn't actually behave the way I expected (actually I didn't find way to achieve this at all in FreeBSD). The problem is: - there is user A, member of groups B, C, D. Program should run with credentials of only group C (A != root). I expected that setgid(2) would always succeed for root, and succeed for ordinary user if user was member of requested group, but I kept getting EPERM. While checking documentation I found to my surprise that setgid behaves exactly like setuid(2) (normal user can switch only to his primary group, superuser can do whatever he wants). Also from documentation is very difficult to understand what is exact relation between setgroups(2) and setgid(2) on FreeBSD (if any), for example Linux manual pages say explicitly that setgid has no interaction whatsoever with supplemental groups, while AIX manual pages explicitly say that user is allowed to setgid to any of his supplemental groups (so obviously both approaches are in use). Documentation for setgroups(2) explicitly states that only root can use it, so apparently normal user can't use it to restrict group permissions for running program. I would be very grateful if somebody could explain why it was chosen not to allow setgid to other real user's groups (sounds like illogical thing to do), or if there is some other mechanism to achieve the same in FreeBSD (preferably completely in code, without playing with file permissions). Kind regards, Ivan