| Age | Commit message (Collapse) | Author |
|---|
|
Add a new SECURITY CONSIDERATIONS section describing in details what the
new behavior is after commit 9da2fe96ff2e ("kern: fix setgroups(2) and
getgroups(2) to match other platforms"), what setgroups(2) does not
do anymore, and how programs using it are affected.
Fix the groups limit after commit 9da2fe96ff2e ("kern: fix setgroups(2)
and getgroups(2) to match other platforms").
Prefer a terminology referring to POSIX terms, i.e., use "effective
group list" instead of "group access list".
While here, fix some style.
Note for MFC to stable/14: The content will have to be revised as the
new behavior is not in place. The latter should still be mentioned as
upcoming in 15.
Fixes: 9da2fe96ff2e ("kern: fix setgroups(2) and getgroups(2) to match other platforms")
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52284
|
|
On most other platforms observed, including OpenBSD, NetBSD, and Linux,
these system calls have long since been converted to only touching the
supplementary groups of the process. This poses both portability and
security concerns in porting software to and from FreeBSD, as this
subtle difference is a landmine waiting to happen. Bugs have been
discovered even in FreeBSD-local sources, since this behavior is
somewhat unintuitive (see, e.g., fix 48fd05999b0f for chroot(8)).
Now that the egid is tracked outside of cr_groups in our ucred, convert
the syscalls to deal with only supplementary groups. Some remaining
stragglers in base that had baked in assumptions about these syscalls
are fixed in the process to avoid heartburn in conversion.
For relnotes: application developers should audit their use of both
setgroups(2) and getgroups(2) for signs that they had assumed the
previous FreeBSD behavior of using the first element for the egid. Any
calls to setgroups() to clear groups that used a single array of the
now or soon-to-be egid can be converted to setgroups(0, NULL) calls to
clear the supplementary groups entirely on all FreeBSD versions.
Co-authored-by: olce (but bugs are likely mine)
Relnotes: yes (see last paragraph)
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D51648
|
|
Remove core system call implementations and documentation to lib/libsys
and lib/libsys/<arch> from lib/libc/sys and lib/libc/<arch>/<sys>.
Update paths to allow libc to find them in their new home.
Reviewed by: kib, emaste, imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/908
|
