About setgid, setgroups and supplemental groups

[Ivan Radovanovic]

I was working on simple program which should drop some (ordinary) user 
privileges and complete its work while keeping permissions of only one 
group user is in, when I discovered that FreeBSD doesn't actually behave 
the way I expected (actually I didn't find way to achieve this at all in 
FreeBSD).

The problem is:
- there is user A, member of groups B, C, D. Program should run with 
credentials of only group C (A != root).

I expected that setgid(2) would always succeed for root, and succeed for 
ordinary user if user was member of requested group, but I kept getting 
EPERM. While checking documentation I found to my surprise that setgid 
behaves exactly like setuid(2) (normal user can switch only to his 
primary group, superuser can do whatever he wants). Also from 
documentation is very difficult to understand what is exact relation 
between setgroups(2) and setgid(2) on FreeBSD (if any), for example 
Linux manual pages say explicitly that setgid has no interaction 
whatsoever with supplemental groups, while AIX manual pages explicitly 
say that user is allowed to setgid to any of his supplemental groups (so 
obviously both approaches are in use).

Documentation for setgroups(2) explicitly states that only root can use 
it, so apparently normal user can't use it to restrict group permissions 
for running program.

I would be very grateful if somebody could explain why it was chosen not 
to allow setgid to other real user's groups (sounds like illogical thing 
to do), or if there is some other mechanism to achieve the same in 
FreeBSD (preferably completely in code, without playing with file 
permissions).

Kind regards,
Ivan