From nobody Fri Oct 10 17:16:26 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cjtgv0p9Gz6Bch1; Fri, 10 Oct 2025 17:16:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cjtgt1Zgnz3gJT; Fri, 10 Oct 2025 17:16:26 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760116586; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zTHlqb6POlx1OjOo/bHKtzMc05SLfkSlL/bs+9y9Yak=; b=iOFbrT3YPOGyP7pH1GoOv3GmBBpGb+4KhWimL8On1WRSM4W3i/OYV6xitD8weFs7/U8RSp sScklrwDDqDPh1gIGc733l2GAxHsPvYcWoWPJ92nIDRGid9xqZeD/yVgaxQBH+FCaT1rSK +t+9lnu+5HnoYWVifqHm89fwg6qC/358Bn74mCjGo0e0iwScnanTvQkxqdgarq1skYIuJO Vp7T4dCasorBQnJco3EeUUyKXWWCNB4HeuLXJmvv4jyWLsvkuHbTOzXxOh67l4p1M9GxmE kkZrlJDQmJC3iW7Lx814pm4i3fQEMZdu/G1/JPcRp0Bn1Gk2NoDCeUkEvX8TWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1760116586; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zTHlqb6POlx1OjOo/bHKtzMc05SLfkSlL/bs+9y9Yak=; b=DjUbqJXpRyQUU0GZ0QYjmTBvw77gLHyjzE3Kedk/sQW5W7kWrf+m5qSYgF+KXMCb4q+u91 EUjMTpruaEQhRQs5h7qKYTbOK8bsrUevcLllk2qPW7/CFk/zanroXQ/21Ps+GG8ifYGbvg dwh/pQ6i7qaB6U/MOyiZ6ChkOXx1lpjIe7EnivKjWZiZYMPZuFSieGZiKh6OegE7IEvdIy ne0F+Ok1w48M6bfT+HvWs4b7qu6FAu7Qx9C4QzHSkyZlvXlKoL8ZLrFaCdL13E/0oc4263 F6C+hBAVZGCCOWZKeD8HvJyTg39Xppiao64D+1OCFczOIr4dellBYKjLZmCb4A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1760116586; a=rsa-sha256; cv=none; b=iqo/ooXRdAKF9drsCRr1zEyC/QGjcwA4M/8YzcSLKNgQRQfbRxNGtc9FXNQM6QzAkEibWr HWcrjhkr4oNly7ohkQ70jVcskBg8+x4It2U29dZaBJKsm6yZV+ZmoDaipJPyaWbcU/WSRO +HHzUTNq1qErIbR8TtzDBAS8zJevZxXb2CU9aMbOVlkje9+wGL9w/Wg24GJsqQpoGQ+MwU W8eH4Ue47o5zVvn7DGDiK7Sjfm4wOmt+GJfwdznSZwRbGtYdjSbnqYB5+g+CwA/LpzxYyo ERJF0qWoKK5qYU4mwbs/VoyF53zAfmjDkbfGvwdeIEC7IoaFqYm4krTWHF2PfQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cjtgt186wz1BWK; Fri, 10 Oct 2025 17:16:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59AHGQQ2009386; Fri, 10 Oct 2025 17:16:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59AHGQWW009384; Fri, 10 Oct 2025 17:16:26 GMT (envelope-from git) Date: Fri, 10 Oct 2025 17:16:26 GMT Message-Id: <202510101716.59AHGQWW009384@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: 7d5b7157e919 - stable/14 - setgroups.2: Add SECURITY CONSIDERATIONS, rework List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 7d5b7157e91970c11315d753c48aa6bdcd3aa9a2 Auto-Submitted: auto-generated The branch stable/14 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=7d5b7157e91970c11315d753c48aa6bdcd3aa9a2 commit 7d5b7157e91970c11315d753c48aa6bdcd3aa9a2 Author: Olivier Certner AuthorDate: 2025-08-29 15:10:22 +0000 Commit: Olivier Certner CommitDate: 2025-10-10 17:15:58 +0000 setgroups.2: Add SECURITY CONSIDERATIONS, rework Add a new SECURITY CONSIDERATIONS section contrasting the current behavior with the new one in force starting from FreeBSD 15. Prefer a terminology referring to POSIX terms, i.e., use "effective group list" instead of "group access list". While here, fix some style. Fixes: 9da2fe96ff2e ("kern: fix setgroups(2) and getgroups(2) to match other platforms") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52284 (cherry picked from commit 6d22cd6b5f8b5604f1fe9e70930b1506f990e31e) As indicated in the original commit message, the manual page was specifically modified as stable/14's setgroups(2) still has the old behavior. The original commit message above was reworked to reflect the actual commit content. --- lib/libc/sys/setgroups.2 | 110 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 81 insertions(+), 29 deletions(-) diff --git a/lib/libc/sys/setgroups.2 b/lib/libc/sys/setgroups.2 index a6109a9b5888..1131d4e4a0d4 100644 --- a/lib/libc/sys/setgroups.2 +++ b/lib/libc/sys/setgroups.2 @@ -1,5 +1,13 @@ +.\"- +.\" SPDX-License-Identifier: BSD-3-Clause +.\" .\" Copyright (c) 1983, 1991, 1993, 1994 .\" The Regents of the University of California. All rights reserved. +.\" Copyright (c) 2025 The FreeBSD Foundation +.\" +.\" Portions of this documentation were written by Olivier Certner +.\" at Kumacom SARL under sponsorship from the FreeBSD +.\" Foundation. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -27,12 +35,12 @@ .\" .\" @(#)setgroups.2 8.2 (Berkeley) 4/16/94 .\" -.Dd January 19, 2018 +.Dd October 10, 2025 .Dt SETGROUPS 2 .Os .Sh NAME .Nm setgroups -.Nd set group access list +.Nd set the calling process' effective groups .Sh LIBRARY .Lb libc .Sh SYNOPSIS @@ -43,35 +51,32 @@ .Sh DESCRIPTION The .Fn setgroups -system call -sets the group access list of the current user process -according to the array -.Fa gidset . +system call sets the calling process' effective group ID and supplementary +groups according to the +.Fa gidset +array. The .Fa ngroups -argument -indicates the number of entries in the array and must be no -more than +argument indicates the number of entries in the array and must be no more than .Dv {NGROUPS_MAX}+1 . .Pp -Only the super-user may set a new group list. -.Pp -The first entry of the group array +The effective group ID of the calling process is set to the first entry of the +.Fa gidset +array .Pq Va gidset[0] -is used as the effective group-ID for the process. -This entry is over-written when a setgid program is run. -To avoid losing access to the privileges of the -.Va gidset[0] -entry, it should be duplicated later in the group array. -By convention, -this happens because the group value indicated -in the password file also appears in -.Pa /etc/group . -The group value in the password file is placed in -.Va gidset[0] -and that value then gets added a second time when the -.Pa /etc/group -file is scanned to create the group set. +if +.Fa ngroups +is not zero. +The other entries are used to form the new supplementary groups set. +.Pp +The +.Fa ngroups +argument may be set to zero, in which case +.Fa gidset +is ignored, the effective group ID remains unchanged and all supplementary +groups are cleared. +.Pp +Only the super-user may install new effective groups. .Sh RETURN VALUES .Rv -std setgroups .Sh ERRORS @@ -88,16 +93,63 @@ argument is larger than the .Dv {NGROUPS_MAX}+1 limit. .It Bq Er EFAULT -The address specified for +Part of the groups array starting at .Fa gidset -is outside the process -address space. +is outside the process address space. .El .Sh SEE ALSO .Xr getgroups 2 , +.Xr setcred 2 , .Xr initgroups 3 .Sh HISTORY The .Fn setgroups system call appeared in .Bx 4.2 . +.Pp +Starting with +.Fx 15 , +the +.Fn setgroups +system call will change semantics. +It will not anymore change the effective group ID, but only the supplementary +groups set, which will be formed from the whole +.Fa gidset +array. +.Sh SECURITY CONSIDERATIONS +The +.Fn setgroups +system call currently sets the effective group ID to the first element of +.Fa gidset . +Starting with +.Fx 15 , +it will not do so anymore. +Programs that rely solely on +.Fn setgroups +to change the effective group ID will have to be modified. +For maximum compatibility, please make sure that some standard or traditional +function changing the effective group ID, such as +.Xr setgid 2 +or +.Xr setegid 2 , +is used in conjunction with +.Fn setgroups +.Pq this should always be the case for portable programs . +.Pp +Processes using functions to change their effective group ID +.Pq via Xr setgid 2 or similar +or that are spawned from executables with the set-group-ID mode bit set +relinquish the access rights deriving from being a member of the initial +effective group ID, unless this group ID is also included in the supplementary +groups. +As, starting with +.Fx 15 , +.Fn setgroups +will include the first element of +.Fa gidset +in the supplementary groups as the others, programs passing the effective group +ID in that slot will retain their former access rights in the above-mentioned +scenario. +This is in particular true for programs that use the +.Xr initgroups 3 +function.