From nobody Sun Apr 12 13:44:07 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ftsG017GFz6ZM5d for ; Sun, 12 Apr 2026 13:44:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ftsFz4RClz3kNl for ; Sun, 12 Apr 2026 13:44:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776001447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FCLIilqGxa/7G8/yUfZO5bMCllpoz7gmZpoHeCYgVhY=; b=uQU36dEviUcdi+ru9JYn1ikLPXO5jIxLFGvagmrCvW0Z65HY7ov/zte3vO+vLo/Qk44+QJ U03lMKOv9XeSEsA6RjLWols9E+N3QZysqWDZwiLvk6Kg3skS1Q40emFcvWLeq2mOnFxvvQ i6OpUo1FRgZ3CpcbkZ8eb4KIU81sZzujzo7LvvbALau7+FH+tedyWPSqkz/xPvuvFj7o9Q QUDO4fA1RwbfB0wsQ9Qkv/QtIgea1wbe9SRU0OC7mwNaX7Va17Lt68clYvnsjMVd8pdaKa yR63mIKm71XaixYjUGeVGQg+7rHHOUZSpJz5rBUIpK3SuXfZDCmn0QGxCZmt3A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776001447; a=rsa-sha256; cv=none; b=EmP9WcXVAVKnslG5TUIBZvRoT7DDjVeh41M5nlfk1MTgDa9DOEdOdULrw4KSSqXsQvGlH4 mWcBo0lX51uGfu7/yXKkPILoKA1hPkf9cHoNQBAgCCuV5QKSvMIdAXSUtejpMQCq1h5wrb DXvHAa27Q8eWJgAf0e6QVKtfRNSYQ1zBII/Ly5LLmkNjizmVa1M8Xxd75OuBayxyLuABeQ gRhOsrbAcOhaW9bi+E90HJLZiiHG2p5NN7IVy5S+namYvI21ZNzz1ERURxa182ygw1Mekm 89RWmCJhMIvMGAsvwR0HFxrIsFKroA38oVIgsZv0I9N24bk5V2ozW7kS8zfJ7w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776001447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FCLIilqGxa/7G8/yUfZO5bMCllpoz7gmZpoHeCYgVhY=; b=a4FDZi0iJc5ojm3JG9hs1CB9pMgoZpLx+8Kb+2Qt0/M7HSkmSY647nfiYvYPRsjXoASCBu xEDP0QSBuG1TqrcGyk7MA8kIhPFIKkZ7UOHieR/p6JpEchhs4ho3RhLlx3Q4TIm0Op7dwZ lJLwdz6/7u9A8ektzPNyDlJsWvpR5L/2gN4CIKGS0Hq9gBJ2RwyugLthgYkhptsohjHgbb AQsakMs1IUi96SzhWdzKQ4K4XnPxQtTHGOhUcE+Tg24wZM7CHD2ELSUUEPtghmzl6zRtPP 8waja2gS7yfmrDTrXGMWxh+FjHW6Ud0aePKzyQLVijfJYGYdNO+ROaAaHMlG+Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4ftsFz3fsfz4NV for ; Sun, 12 Apr 2026 13:44:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 42439 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 12 Apr 2026 13:44:07 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 3c3228a5275a - stable/14 - ssh: sshd-session: properly save off the privileged gid List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 3c3228a5275a3eda0f73aa24a8f24950f3b4823c Auto-Submitted: auto-generated Date: Sun, 12 Apr 2026 13:44:07 +0000 Message-Id: <69dba1a7.42439.1f5e52e4@gitrepo.freebsd.org> The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=3c3228a5275a3eda0f73aa24a8f24950f3b4823c commit 3c3228a5275a3eda0f73aa24a8f24950f3b4823c Author: Kyle Evans AuthorDate: 2025-08-09 16:01:57 +0000 Commit: Kyle Evans CommitDate: 2026-04-12 13:43:36 +0000 ssh: sshd-session: properly save off the privileged gid Current and traditional FreeBSD behavior means that getegid() here is the first element in the prior setgroups() call, if any, so we may inadvertently wipe out our rgid with the unprivileged gid. This is rendered somewhat harmless by the fact that we're losing the privileged gid -- we'll still regain it as the egid in restore_uid() later by way of restoring saved_egroups, rather than by intentionally restoring it from getgid(). This will be promptly reverted if we can get setgroups(2)/getgroups(2) changed in FreeBSD 15.0, but it seemed wise to get this technically correct for previous branches. Reviewed by: jlduran (cherry picked from commit 239e8c98636a7578cc67a6f9d54d14c71b095e36) --- crypto/openssh/uidswap.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/crypto/openssh/uidswap.c b/crypto/openssh/uidswap.c index 6ed3024d0180..0143f4994611 100644 --- a/crypto/openssh/uidswap.c +++ b/crypto/openssh/uidswap.c @@ -14,6 +14,9 @@ #include "includes.h" +#ifdef __FreeBSD__ +#include +#endif #include #include #include @@ -121,8 +124,20 @@ temporarily_use_uid(struct passwd *pw) fatal("setgroups: %.100s", strerror(errno)); #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ +#ifdef __FreeBSD__ + /* + * FreeBSD traditionally includes the egid as the first element. If we + * use getegid() here then we effectively propagate user_groups[0], + * which is probably pw->pw_gid. Fix it to work as intended by using + * the egid we already have stashed off. + */ + assert(saved_egroupslen > 0); + if (setgid(saved_egroups[0]) == -1) + debug("setgid %u: %.100s", (u_int) saved_egroups[0], strerror(errno)); +#else if (setgid(getegid()) == -1) debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); +#endif /* Propagate the privileged uid to all of our uids. */ if (setuid(geteuid()) == -1) debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));