security/openssh-portable: fix uidswap behavior on FreeBSD
ClosedPublic
Actions

Authored by kevans on Aug 9 2025, 5:39 PM.

Details

Reviewers

bdrewery

Commits

R11:b8f4c93fa135: security/openssh-portable: fix uidswap behavior on FreeBSD

Summary

This adds base commit 239e8c98636a757 as a patch to avoid losing our
real GID inside temporarily_use_uid()/restore_uid() blocks. We'll need
to re-scope this to specific __FreeBSD_version blocks if 15.0 ends up
with the setgroups(2)/getgroups(2) change that brings us to the
OpenBSD/NetBSD behavior instead (no egid touching; just supplemental
groups).

Diff Detail

Repository

R11 FreeBSD ports repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 66136
Build 63019: arc lint + arc unit

Event Timeline

kevans requested review of this revision.Aug 9 2025, 5:39 PM

kevans created this revision.

Harbormaster completed remote builds in B66136: Diff 160129.Aug 9 2025, 5:39 PM

bdrewery accepted this revision.Aug 11 2025, 7:10 PM

This revision is now accepted and ready to land.Aug 11 2025, 7:10 PM

Closed by commit R11:b8f4c93fa135: security/openssh-portable: fix uidswap behavior on FreeBSD (authored by kevans). · Explain WhyAug 21 2025, 2:24 AM

This revision was automatically updated to reflect the committed changes.

kevans added a commit: R11:b8f4c93fa135: security/openssh-portable: fix uidswap behavior on FreeBSD.

Since I hadn't found the time to return to this for a bit, the final version had two trivial tweaks to the patch to avoid a panic on the next main build:

+ include <sys/parm.h>
+ && __FreeBSD_version < 1500061

I had contemplated updating the review, but decided that it was minor enough (given that the __FreeBSD_version bump was mine for the relevant change) that you'd likely not mind.