Page MenuHomeFreeBSD

tftpd: explicitly set egid after dropping supplemental groups
ClosedPublic

Authored by kevans on Jul 3 2025, 3:30 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 13, 12:15 PM
Unknown Object (File)
Mon, Oct 13, 12:15 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 11:39 PM
Unknown Object (File)
Sun, Oct 12, 12:11 PM
Unknown Object (File)
Sep 5 2025, 3:52 PM
Subscribers

Details

Summary

tftpd seems to be the last program in base that implicitly relies on
setgroups() to set the egid. This is a security landmine in portable
software as most operating systems don't behave this way, so do an
explicit setgid() in case the kernel doesn't set it already.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans requested review of this revision.Jul 3 2025, 3:30 PM
This revision is now accepted and ready to land.Jul 3 2025, 3:58 PM
libexec/tftpd/tftpd.c
354

Let's be portable right now and leverage the already-existing special case we have to remove all supplementary groups.

Clear the supplemental groups entirely

The following has been added to the commit message:

While we're here, FreeBSD's setgroups() has supported nominally clearing
all supplemental groups since 1997.  It still leaves the egid in our
cr_groups[0] because we don't have an out-of-band way to store the egid,
and on other systems it'll clear the supplemental group entirely as one
would want.
This revision now requires review to proceed.Jul 3 2025, 4:24 PM
This revision is now accepted and ready to land.Jul 3 2025, 4:33 PM