Page MenuHomeFreeBSD
Differential D51149

tftpd: explicitly set egid after dropping supplemental groups
ClosedPublic
Actions

Authored by kevans on Jul 3 2025, 3:30 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 13, 12:15 PM
Unknown Object (File)
Mon, Oct 13, 12:15 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 12:11 PM
Unknown Object (File)
Sep 5 2025, 3:52 PM
View All 22 Files
Subscribers
imp

Details

Reviewers
des
olce
allanjude
Commits
rG5138a20765c7: tftpd: explicitly set egid after dropping supplemental groups
Summary

tftpd seems to be the last program in base that implicitly relies on
setgroups() to set the egid. This is a security landmine in portable
software as most operating systems don't behave this way, so do an
explicit setgid() in case the kernel doesn't set it already.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans created this revision.Jul 3 2025, 3:30 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 3 2025, 3:30 PM
kevans requested review of this revision.Jul 3 2025, 3:30 PM
Harbormaster completed remote builds in B65191: Diff 157889.Jul 3 2025, 3:30 PM
allanjude accepted this revision.Jul 3 2025, 3:58 PM
This revision is now accepted and ready to land.Jul 3 2025, 3:58 PM
olce added inline comments.Jul 3 2025, 4:16 PM
libexec/tftpd/tftpd.c
354

Let's be portable right now and leverage the already-existing special case we have to remove all supplementary groups.

kevans updated this revision to Diff 157893.Jul 3 2025, 4:24 PM

Clear the supplemental groups entirely

The following has been added to the commit message:

While we're here, FreeBSD's setgroups() has supported nominally clearing
all supplemental groups since 1997.  It still leaves the egid in our
cr_groups[0] because we don't have an out-of-band way to store the egid,
and on other systems it'll clear the supplemental group entirely as one
would want.
This revision now requires review to proceed.Jul 3 2025, 4:24 PM
Harbormaster completed remote builds in B65194: Diff 157893.Jul 3 2025, 4:24 PM
kevans marked an inline comment as done.Jul 3 2025, 4:24 PM
olce accepted this revision.Jul 3 2025, 4:33 PM
This revision is now accepted and ready to land.Jul 3 2025, 4:33 PM
des accepted this revision.Jul 4 2025, 9:18 PM
Closed by commit rG5138a20765c7: tftpd: explicitly set egid after dropping supplemental groups (authored by kevans). · Explain WhyJul 24 2025, 2:59 PM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rG5138a20765c7: tftpd: explicitly set egid after dropping supplemental groups.

Revision Contents
Changeset List

PathSize
libexec/
tftpd/
6 lines

Diff 159001

View Options

libexec/tftpd/tftpd.c

Loading...