tftpd seems to be the last program in base that implicitly relies on
setgroups() to set the egid. This is a security landmine in portable
software as most operating systems don't behave this way, so do an
explicit setgid() in case the kernel doesn't set it already.
Details
Details
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
libexec/tftpd/tftpd.c | ||
---|---|---|
354 | Let's be portable right now and leverage the already-existing special case we have to remove all supplementary groups. |
Comment Actions
Clear the supplemental groups entirely
The following has been added to the commit message:
While we're here, FreeBSD's setgroups() has supported nominally clearing all supplemental groups since 1997. It still leaves the egid in our cr_groups[0] because we don't have an out-of-band way to store the egid, and on other systems it'll clear the supplemental group entirely as one would want.