Page MenuHomeFreeBSD

security/openssh-portable: fix uidswap behavior on FreeBSD
ClosedPublic

Authored by kevans on Aug 9 2025, 5:39 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Oct 14, 11:08 PM
Unknown Object (File)
Mon, Oct 13, 6:13 AM
Unknown Object (File)
Fri, Oct 10, 4:17 PM
Unknown Object (File)
Fri, Oct 10, 4:17 PM
Unknown Object (File)
Fri, Oct 10, 4:17 PM
Unknown Object (File)
Fri, Oct 10, 10:27 AM
Unknown Object (File)
Thu, Oct 9, 5:49 PM
Unknown Object (File)
Tue, Oct 7, 8:05 AM
Subscribers
None

Details

Summary

This adds base commit 239e8c98636a757 as a patch to avoid losing our
real GID inside temporarily_use_uid()/restore_uid() blocks. We'll need
to re-scope this to specific __FreeBSD_version blocks if 15.0 ends up
with the setgroups(2)/getgroups(2) change that brings us to the
OpenBSD/NetBSD behavior instead (no egid touching; just supplemental
groups).

Diff Detail

Repository
R11 FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans requested review of this revision.Aug 9 2025, 5:39 PM
kevans created this revision.
This revision is now accepted and ready to land.Aug 11 2025, 7:10 PM

Since I hadn't found the time to return to this for a bit, the final version had two trivial tweaks to the patch to avoid a panic on the next main build:

  • + include <sys/parm.h>
  • + && __FreeBSD_version < 1500061

I had contemplated updating the review, but decided that it was minor enough (given that the __FreeBSD_version bump was mine for the relevant change) that you'd likely not mind.