The branch main has been updated by kevans:
URL:
https://cgit.FreeBSD.org/src/commit/?id=665e898d581cd518ee47a0bc385a6df75961f2fc
commit 665e898d581cd518ee47a0bc385a6df75961f2fc
Author: Kyle Evans <kev...@freebsd.org>
AuthorDate: 2025-07-24 14:59:07 +0000
Commit: Kyle Evans <kev...@freebsd.org>
CommitDate: 2025-07-24 14:59:07 +0000
rpc.lockd: avoid embedding assumptions about cr_groups[0]
sys/ucred.h provides a cr_gid macro that should be used to reference the
egid element of an xucred, so let's use that.
While we're here, avoid assuming that the first element is the egid and
include it in the group list unless it is actually the egid. This is
not a functional change today: the egid is always the first group in
the list, but we may want to consider changing that some day.
Reviewed by: olce
Differential Revision: https://reviews.freebsd.org/D51151
---
usr.sbin/rpc.lockd/kern.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/usr.sbin/rpc.lockd/kern.c b/usr.sbin/rpc.lockd/kern.c
index c24b81159ea5..1945bd68328a 100644
--- a/usr.sbin/rpc.lockd/kern.c
+++ b/usr.sbin/rpc.lockd/kern.c
@@ -39,6 +39,7 @@
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <assert.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
@@ -232,17 +233,29 @@ void
set_auth(CLIENT *cl, struct xucred *xucred)
{
int ngroups;
+ gid_t *groups;
- ngroups = xucred->cr_ngroups - 1;
+ /*
+ * Exclude the first element if it is actually the egid, but account for
+ * the possibility that we could eventually exclude the egid from the
+ * exported group list some day.
+ */
+ ngroups = xucred->cr_ngroups;
+ groups = &xucred->cr_groups[0];
+ if (groups == &xucred->cr_gid) {
+ assert(ngroups > 0);
+ ngroups--;
+ groups++;
+ }
if (ngroups > NGRPS)
ngroups = NGRPS;
if (cl->cl_auth != NULL)
cl->cl_auth->ah_ops->ah_destroy(cl->cl_auth);
cl->cl_auth = authunix_create(hostname,
xucred->cr_uid,
- xucred->cr_groups[0],
+ xucred->cr_gid,
ngroups,
- &xucred->cr_groups[1]);
+ groups);
}
