git: 3c3228a5275a - stable/14 - ssh: sshd-session: properly save off the privileged gid

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Sun, 12 Apr 2026 13:44:07 UTC
The branch stable/14 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=3c3228a5275a3eda0f73aa24a8f24950f3b4823c

commit 3c3228a5275a3eda0f73aa24a8f24950f3b4823c
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2025-08-09 16:01:57 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2026-04-12 13:43:36 +0000

    ssh: sshd-session: properly save off the privileged gid
    
    Current and traditional FreeBSD behavior means that getegid() here is
    the first element in the prior setgroups() call, if any, so we may
    inadvertently wipe out our rgid with the unprivileged gid.  This is
    rendered somewhat harmless by the fact that we're losing the privileged
    gid -- we'll still regain it as the egid in restore_uid() later by way
    of restoring saved_egroups, rather than by intentionally restoring it
    from getgid().
    
    This will be promptly reverted if we can get setgroups(2)/getgroups(2)
    changed in FreeBSD 15.0, but it seemed wise to get this technically
    correct for previous branches.
    
    Reviewed by:    jlduran
    
    (cherry picked from commit 239e8c98636a7578cc67a6f9d54d14c71b095e36)
---
 crypto/openssh/uidswap.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/crypto/openssh/uidswap.c b/crypto/openssh/uidswap.c
index 6ed3024d0180..0143f4994611 100644
--- a/crypto/openssh/uidswap.c
+++ b/crypto/openssh/uidswap.c
@@ -14,6 +14,9 @@
 
 #include "includes.h"
 
+#ifdef __FreeBSD__
+#include <assert.h>
+#endif
 #include <errno.h>
 #include <pwd.h>
 #include <string.h>
@@ -121,8 +124,20 @@ temporarily_use_uid(struct passwd *pw)
 		fatal("setgroups: %.100s", strerror(errno));
 #ifndef SAVED_IDS_WORK_WITH_SETEUID
 	/* Propagate the privileged gid to all of our gids. */
+#ifdef __FreeBSD__
+	/*
+	 * FreeBSD traditionally includes the egid as the first element.  If we
+	 * use getegid() here then we effectively propagate user_groups[0],
+	 * which is probably pw->pw_gid.  Fix it to work as intended by using
+	 * the egid we already have stashed off.
+	 */
+	assert(saved_egroupslen > 0);
+	if (setgid(saved_egroups[0]) == -1)
+		debug("setgid %u: %.100s", (u_int) saved_egroups[0], strerror(errno));
+#else
 	if (setgid(getegid()) == -1)
 		debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno));
+#endif
 	/* Propagate the privileged uid to all of our uids. */
 	if (setuid(geteuid()) == -1)
 		debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));