Page MenuHomeFreeBSD
Differential D52284

setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework
ClosedPublic
Actions

Authored by olce on Aug 29 2025, 11:04 PM.
Tags
None
Referenced Files
F133241716: D52284.id162138.diff
Fri, Oct 24, 6:24 AM
F133204860: D52284.diff
Thu, Oct 23, 11:05 PM
Unknown Object (File)
Sun, Oct 12, 3:23 PM
Unknown Object (File)
Sun, Oct 12, 8:46 AM
Unknown Object (File)
Sat, Oct 11, 10:02 PM
Unknown Object (File)
Sat, Oct 11, 10:02 PM
Unknown Object (File)
Sat, Oct 11, 10:02 PM
Unknown Object (File)
Sat, Oct 11, 12:50 PM
View All 34 Files
Subscribers
emaste
imp
ziaee

Details

Reviewers
kevans
Commits
rG7d5b7157e919: setgroups.2: Add SECURITY CONSIDERATIONS, rework
rG7132fb5edbc9: setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework
rG6d22cd6b5f8b: setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework
Summary

Add a new SECURITY CONSIDERATIONS section describing in details what the
new behavior is after commit 9da2fe96ff2e ("kern: fix setgroups(2) and
getgroups(2) to match other platforms"), what setgroups(2) does not
do anymore, and how programs using it are affected.

Fix the groups limit after commit 9da2fe96ff2e ("kern: fix setgroups(2)
and getgroups(2) to match other platforms").

Prefer a terminology referring to POSIX terms, i.e., use "effective
group list" instead of "group access list".

While here, fix some style.

Fixes: 9da2fe96ff2e ("kern: fix setgroups(2) and getgroups(2) to match other platforms")
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 67075
Build 63958: arc lint + arc unit

Event Timeline

olce created this revision.Aug 29 2025, 11:04 PM
Herald added subscribers: ziaee, imp. · View Herald TranscriptAug 29 2025, 11:04 PM
olce requested review of this revision.Aug 29 2025, 11:04 PM
Harbormaster completed remote builds in B66687: Diff 161250.Aug 29 2025, 11:04 PM
olce updated this revision to Diff 162138.Sep 16 2025, 10:07 AM
olce edited the summary of this revision. (Show Details)
  • Impacts of the paradigm change in D52282 in SECURITY CONSIDERATIONS. Relax the wording about applications passing the additional group/effective GID as the first element in setgroups(2). Mention that this is what initgroups(3) does.
  • Add notes about clearing all supplementary groups in HISTORY and SECURITY CONSIDERATIONS.
  • Use "calling process" instead of "current process".
  • Be explicit on gidset not being used at all when ngroups is 0 (replacing the old ambiguous formulation).
  • "GID" => "group ID", consistently with other manual pages.
Harbormaster completed remote builds in B67075: Diff 162138.Sep 16 2025, 10:07 AM
This revision was not accepted when it landed; it landed in state Needs Review.Sep 17 2025, 12:21 PM
Closed by commit rG6d22cd6b5f8b: setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework (authored by olce). · Explain Why
This revision was automatically updated to reflect the committed changes.
olce added a commit: rG6d22cd6b5f8b: setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework.
emaste added inline comments.Sep 17 2025, 9:00 PM
lib/libsys/setgroups.2
2

I don't think we need this (.\"-) marker anymore

olce added a commit: rG7132fb5edbc9: setgroups.2: Add SECURITY CONSIDERATIONS, fix the groups limit, rework.Sep 23 2025, 12:04 PM
olce added a commit: rG7d5b7157e919: setgroups.2: Add SECURITY CONSIDERATIONS, rework.Fri, Oct 10, 5:17 PM

Revision Contents
Changeset List

PathSize
lib/
libsys/
99 lines

Diff 162138

View Options

lib/libsys/setgroups.2

Loading...