From nobody Wed Sep 17 12:19:18 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cRd9g27Twz67Hnk; Wed, 17 Sep 2025 12:19:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cRd9f4HXXz3WGF; Wed, 17 Sep 2025 12:19:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758111558; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bfmwp3DTh9Gcp7JnoXlAiUogyYF+a4u2zEbWbItomvc=; b=knotl7VJuyUlCTXLFe6rsJN3DTi9WpnnWLUqYTMBOIQAICva0PuQsm+vXxBvOraZ/NJ2Z1 CRC4VFAEl4t0e1qJlKh0sHr3Ql1+Ylvu0H6U5/GO9JnBJA+XkEJTqj0jvTLHBcKPlqD8Mp vcis2qmBpbTl0HlN5Tg2GJ24fQEhemFuxhWnyQVoYv/36WhJZHt0JNxeyBolFEB45Lrgn8 LS2GeoFOvm5wkkRj6qfoqyRONlyo1RALytsKYa0YlL/4gUTsvVqt0OHGOCraHOnwD+IDVS Ek7EWPiMUw/crVjHICiRBNioihFTtA1AkyqsXgup8t7r7M+kTklRl0ptV9u2oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758111558; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bfmwp3DTh9Gcp7JnoXlAiUogyYF+a4u2zEbWbItomvc=; b=YB14YWBr+1uBhohluG0Nhn0N8reA8ULRVHsPFM0098NSvE8fygu+cYft0XJeVnWXx5Ea3S RPq9DxL1V3uEeREtUUDd8c/c6bLp0ypwuC0fO3fkJvVqQ80A5PaZaRilPp71MwslMvc47X Q7yxvxXfdwtlOqR7RF58eKt3LV+x6WIogH/lThEK/zjOuV7/lBpGK2ALlyWd1aMK0zXS/M GcAD/PvgXd4YqlGcImJDASyXa2CgqKma9nmRgwn3qSdwy1T5WbBFm0Njc40d3MnzReUdP/ 2RzXGk46eboZPDbTAhmwaKRrWjfvn5uZByLLFMPLmn0KEpRFgCGKYZGegEWkuA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758111558; a=rsa-sha256; cv=none; b=V0uUkx3QUerDspBYgmXTOUBhkII9/26swX5JNsoulssgOmgF1jfRi/I07gEeX6XvwBaWnr /VjKEez3zkozSIigAecQgoifjTZ5QJrgFUMn+NgbvICZAeNWmJ9gWeAxfyhbaTVfk++tsv YLkweuMTTZ14hyNSPbYftESHD/YfIIGE8d4za+7ANsviKlPYEH0rH1BqfN7JYhe6P+sClV jpH1Um3ddEGuxAzdhLI8RoAq/uVQuKCt5tiJqOHtTXutSdm8XzIOGd5ifclzLcGDbcMZZw k9A9xLSVdH9kkZsuQlOEGsoNHzdAPiEusW8AZEC15lmfnWjikp62XJDbWY0VTQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cRd9f3YLmz9Jk; Wed, 17 Sep 2025 12:19:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58HCJI8T086158; Wed, 17 Sep 2025 12:19:18 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58HCJI1N086154; Wed, 17 Sep 2025 12:19:18 GMT (envelope-from git) Date: Wed, 17 Sep 2025 12:19:18 GMT Message-Id: <202509171219.58HCJI1N086154@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: 6d22cd6b5f8b - main - setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6d22cd6b5f8b5604f1fe9e70930b1506f990e31e Auto-Submitted: auto-generated The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=6d22cd6b5f8b5604f1fe9e70930b1506f990e31e commit 6d22cd6b5f8b5604f1fe9e70930b1506f990e31e Author: Olivier Certner AuthorDate: 2025-08-29 15:10:22 +0000 Commit: Olivier Certner CommitDate: 2025-09-17 12:16:07 +0000 setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework Add a new SECURITY CONSIDERATIONS section describing in details what the new behavior is after commit 9da2fe96ff2e ("kern: fix setgroups(2) and getgroups(2) to match other platforms"), what setgroups(2) does not do anymore, and how programs using it are affected. Fix the groups limit after commit 9da2fe96ff2e ("kern: fix setgroups(2) and getgroups(2) to match other platforms"). Prefer a terminology referring to POSIX terms, i.e., use "effective group list" instead of "group access list". While here, fix some style. Note for MFC to stable/14: The content will have to be revised as the new behavior is not in place. The latter should still be mentioned as upcoming in 15. Fixes: 9da2fe96ff2e ("kern: fix setgroups(2) and getgroups(2) to match other platforms") MFC after: 5 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52284 --- lib/libsys/setgroups.2 | 99 ++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 83 insertions(+), 16 deletions(-) diff --git a/lib/libsys/setgroups.2 b/lib/libsys/setgroups.2 index 451f63ba1266..0ec99507cfb0 100644 --- a/lib/libsys/setgroups.2 +++ b/lib/libsys/setgroups.2 @@ -1,5 +1,13 @@ +.\"- +.\" SPDX-License-Identifier: BSD-3-Clause +.\" .\" Copyright (c) 1983, 1991, 1993, 1994 .\" The Regents of the University of California. All rights reserved. +.\" Copyright (c) 2025 The FreeBSD Foundation +.\" +.\" Portions of this documentation were written by Olivier Certner +.\" at Kumacom SARL under sponsorship from the FreeBSD +.\" Foundation. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -25,12 +33,12 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd August 1, 2025 +.Dd September 17, 2025 .Dt SETGROUPS 2 .Os .Sh NAME .Nm setgroups -.Nd set group access list +.Nd set the calling process' supplementary groups .Sh LIBRARY .Lb libc .Sh SYNOPSIS @@ -41,21 +49,21 @@ .Sh DESCRIPTION The .Fn setgroups -system call -sets the supplementary group list of the current user process -according to the array -.Fa gidset . +system call sets the calling process' supplementary groups according to the +.Fa gidset +array. The .Fa ngroups -argument -indicates the number of entries in the array and must be no -more than +argument indicates the number of entries in the array and must be no more than .Dv {NGROUPS_MAX} . +.Pp The .Fa ngroups -argument may be set to 0 to clear the supplementary group list. +argument may be set to zero to clear all supplementary groups, in which case +.Fa gidset +is ignored. .Pp -Only the super-user may set a new supplementary group list. +Only the super-user may install a new supplementary groups set. .Sh RETURN VALUES .Rv -std setgroups .Sh ERRORS @@ -69,16 +77,16 @@ The caller is not the super-user. The number specified in the .Fa ngroups argument is larger than the -.Dv {NGROUPS_MAX}+1 +.Dv {NGROUPS_MAX} limit. .It Bq Er EFAULT -The address specified for +Part of the groups array starting at .Fa gidset -is outside the process -address space. +is outside the process address space. .El .Sh SEE ALSO .Xr getgroups 2 , +.Xr setcred 2 , .Xr initgroups 3 .Sh HISTORY The @@ -92,4 +100,63 @@ the .Fn setgroups system call would set the effective group ID for the process to the first element of -.Fa gidset . +.Fa gidset , +and only the other elements as supplementary groups. +Despite treating the first element as the effective group ID to set, it accepted +an empty +.Fa gidset +.Po +.Fa ngroups +being zero +.Pc +as a stance requiring to drop all supplementary groups, leaving the effective +group ID unchanged. +.Sh SECURITY CONSIDERATIONS +The +.Fn setgroups +system call sets the process' supplementary groups to those contained in the +.Fa gidset +array. +In particular, as evoked in +.Sx HISTORY , +it does not anymore treat the first element of +.Fa gidset +separately. +Formerly, it would set it as the effective group ID while only the others were +used as supplementary groups. +.Pp +Programs solely relying on +.Fn setgroups +to change the effective group ID must be modified, e.g., to also call +.Xr setegid 2 +or to instead use +.Xr setcred 2 , +else they will unwillingly keep their effective group ID. +.Pp +Programs using +.Fn setgroups +with the effective group ID as the first element of array +.Fa gidset +and not duplicating it in the rest of the array, which includes those using +.Fn initgroups , +now insert this group ID in the supplementary groups set. +This is in general desirable, as explained in the +.Xr initgroups 3 +manual page, and has the consequence that subsequent process' effective group +ID's changes do not remove membership of the original effective group ID, since +these changes do not affect the supplementary groups. +Applications that expressly do not want that must be modified to stop passing +the effective group ID as the first element to +.Fn setgroups . +.Pp +To clear all the calling process' supplementary groups, always use the statement +.Bd -literal -offset indent +setgroups(0, NULL); +.Ed +.Pp +which works also on older FreeBSD version +.Po +see the +.Sx HISTORY +section +.Pc .