The branch main has been updated by kevans:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5138a20765c76cdc8f245d3d7caeffe9a9011bb2
commit 5138a20765c76cdc8f245d3d7caeffe9a9011bb2
Author: Kyle Evans <kev...@freebsd.org>
AuthorDate: 2025-07-24 14:59:07 +0000
Commit: Kyle Evans <kev...@freebsd.org>
CommitDate: 2025-07-24 14:59:07 +0000
tftpd: explicitly set egid after dropping supplemental groups
tftpd seems to be the last program in base that implicitly relies on
setgroups() to set the egid. This is a security landmine in portable
software as most operating systems don't behave this way, so do an
explicit setgid() in case the kernel doesn't set it already.
While we're here, FreeBSD's setgroups() has supported nominally clearing
all supplemental groups since 1997. It still leaves the egid in our
cr_groups[0] because we don't have an out-of-band way to store the egid,
and on other systems it'll clear the supplemental group entirely as one
would want.
Reviewed by: allanjude (previous version), des, olce
Differential Revision: https://reviews.freebsd.org/D51149
---
libexec/tftpd/tftpd.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c
index f8f9bd549a2e..a3faee86e7d0 100644
--- a/libexec/tftpd/tftpd.c
+++ b/libexec/tftpd/tftpd.c
@@ -351,10 +351,14 @@ main(int argc, char *argv[])
tftp_log(LOG_ERR, "chdir: %s", strerror(errno));
exit(1);
}
- if (setgroups(1, &nobody->pw_gid) != 0) {
+ if (setgroups(0, NULL) != 0) {
tftp_log(LOG_ERR, "setgroups failed");
exit(1);
}
+ if (setgid(nobody->pw_gid) != 0) {
+ tftp_log(LOG_ERR, "setgid failed");
+ exit(1);
+ }
if (setuid(nobody->pw_uid) != 0) {
tftp_log(LOG_ERR, "setuid failed");
exit(1);
