About setgid, setgroups and supplemental groups
Ivan Radovanovic
radovanovic at gmail.com
Mon Mar 12 19:59:05 UTC 2018
I was working on simple program which should drop some (ordinary) user
privileges and complete its work while keeping permissions of only one
group user is in, when I discovered that FreeBSD doesn't actually behave
the way I expected (actually I didn't find way to achieve this at all in
FreeBSD).
The problem is:
- there is user A, member of groups B, C, D. Program should run with
credentials of only group C (A != root).
I expected that setgid(2) would always succeed for root, and succeed for
ordinary user if user was member of requested group, but I kept getting
EPERM. While checking documentation I found to my surprise that setgid
behaves exactly like setuid(2) (normal user can switch only to his
primary group, superuser can do whatever he wants). Also from
documentation is very difficult to understand what is exact relation
between setgroups(2) and setgid(2) on FreeBSD (if any), for example
Linux manual pages say explicitly that setgid has no interaction
whatsoever with supplemental groups, while AIX manual pages explicitly
say that user is allowed to setgid to any of his supplemental groups (so
obviously both approaches are in use).
Documentation for setgroups(2) explicitly states that only root can use
it, so apparently normal user can't use it to restrict group permissions
for running program.
I would be very grateful if somebody could explain why it was chosen not
to allow setgid to other real user's groups (sounds like illogical thing
to do), or if there is some other mechanism to achieve the same in
FreeBSD (preferably completely in code, without playing with file
permissions).
Kind regards,
Ivan
More information about the freebsd-hackers
mailing list