From nobody Mon Dec 16 14:46:12 2024
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YBjS464zlz5hWlN;
	Mon, 16 Dec 2024 14:46:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YBjS43SfDz4f6q;
	Mon, 16 Dec 2024 14:46:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1734360372;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=c3y2YxUR9YSe6XyN6Ae+TrF9VAc1DbWPbpuBZGj1pQ0=;
	b=cu3mESuo76LI05NYCI5kg30IAqsGlxETjwus8mCMmoWombkK0p5kp/ejz/Wkl6/J1tVyKZ
	LsHqbR2ZkYS9jvr9z4Im+lpiIoFBcKX7W2i661VM7iSiNjxBiHtRsxGpCA0rCa4x9ng1cP
	8vqKUgqnr3imFfWr2AvhUAPT2uO/taGsnSg7dUd8p10oK8Lk/l4CUUN6vW+i5S2iQt0A45
	dQ7mKglQxp37lXuBfNKU8AQ4JJaHanAbHRiGUKu6ibRJBVe85e/blMYza81ZpVfnltL9be
	15LCDVYpi9RCf06ft+xOchFW0B0cL6FAEmmQAY1Vpov1vX3FYsdn7RqRmuOClA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1734360372;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=c3y2YxUR9YSe6XyN6Ae+TrF9VAc1DbWPbpuBZGj1pQ0=;
	b=NkoGJ8SQloRPRx8Bzu5jUj3zVfDor1v3nYtxmloOTi39WZf6Zmo+R94RF+tGGxtlVJmvnl
	/zBMmqYIrZ3pAaX5hFBZrR7yubej03Et8HexDcjPBOcZK3T1lxT7k+9yvcBOMKQJz7Ky8c
	Ix1ULDo8bBI7BFlppEWB6Rqnr3ny+qo2COQEhvWqu0M7UPdTWymGTjBI4nmqD3Cqb0g1JV
	p5sYdgO7i2JMZhfodAGXkYbhlACyP2z2eJwDvp1E2nfLlQJQW7tziIcYG8ST52/O3Udh5E
	jzhmbCU2nBP+Jsj60ChTje0RK7Hqgnwbx5d9d9/DzbI5R8jaZOYKwjIaVCNckQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734360372; a=rsa-sha256; cv=none;
	b=Sbri6Cbcwb7PxG0e2aSbmR9XfzJu2aAFgiHXiqre5Ilu7dJC/TkoCM2C/qhpdycozMJTAZ
	xPSRZbiwLLpa0OAfZ3xSmGMHi0YN7ZQ2elXlzr7WfajMSVUGBOmDtdx5r5H3+vcuRSb3cc
	KlY3reK4Ap9X2GvQ9lSFCaf2GAwOT3olBUE+OyAJZqIxT4Tybd/0qZjWFR4Cb9JXAsx5AX
	z05WKlR+dM34sNgSPInP2nUPlQxq+ovhNz2OasVKU4BRsxCdZ51KOkRcTr/7uB2YWyi5kR
	E0TVlNOZHOjDHILS68zNM6HlrhiRTbhrgLXsC8tvei40VU5iU3mBBe1ucpFEvA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YBjS431wmzxHB;
	Mon, 16 Dec 2024 14:46:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BGEkCsg054133;
	Mon, 16 Dec 2024 14:46:12 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BGEkCaP054130;
	Mon, 16 Dec 2024 14:46:12 GMT
	(envelope-from git)
Date: Mon, 16 Dec 2024 14:46:12 GMT
Message-Id: <202412161446.4BGEkCaP054130@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Olivier Certner <olce@FreeBSD.org>
Subject: git: e395e354823b - main - mdo(1): Use setcred() to change
  credentials
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: olce
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: e395e354823b690ba19ecc8e3688bacec6f67ad3
Auto-Submitted: auto-generated

The branch main has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=e395e354823b690ba19ecc8e3688bacec6f67ad3

commit e395e354823b690ba19ecc8e3688bacec6f67ad3
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-07-29 14:24:08 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2024-12-16 14:42:40 +0000

    mdo(1): Use setcred() to change credentials
    
    As this is the only system call that MAC/do currently supports, and the
    only one that really can be for transitions involving simultaneous
    changes of user and group IDs.
    
    Reviewed by:    bapt
    Approved by:    markj (mentor)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D47621
---
 usr.bin/mdo/mdo.c | 42 +++++++++++++++++++++++++++++++++++-------
 1 file changed, 35 insertions(+), 7 deletions(-)

diff --git a/usr.bin/mdo/mdo.c b/usr.bin/mdo/mdo.c
index 22e2838daa08..8435fc17f26f 100644
--- a/usr.bin/mdo/mdo.c
+++ b/usr.bin/mdo/mdo.c
@@ -5,6 +5,7 @@
  */
 
 #include <sys/limits.h>
+#include <sys/ucred.h>
 
 #include <err.h>
 #include <paths.h>
@@ -27,6 +28,8 @@ main(int argc, char **argv)
 {
 	struct passwd *pw;
 	const char *username = "root";
+	struct setcred wcred = SETCRED_INITIALIZER;
+	u_int setcred_flags = 0;
 	bool uidonly = false;
 	int ch;
 
@@ -50,20 +53,45 @@ main(int argc, char **argv)
 			const char *errp = NULL;
 			uid_t uid = strtonum(username, 0, UID_MAX, &errp);
 			if (errp != NULL)
-				err(EXIT_FAILURE, "%s", errp);
+				err(EXIT_FAILURE, "invalid user ID '%s'",
+				    username);
 			pw = getpwuid(uid);
 		}
 		if (pw == NULL)
 			err(EXIT_FAILURE, "invalid username '%s'", username);
 	}
+
+	wcred.sc_uid = wcred.sc_ruid = wcred.sc_svuid = pw->pw_uid;
+	setcred_flags |= SETCREDF_UID | SETCREDF_RUID | SETCREDF_SVUID;
+
 	if (!uidonly) {
-		if (initgroups(pw->pw_name, pw->pw_gid) == -1)
-			err(EXIT_FAILURE, "failed to call initgroups");
-		if (setgid(pw->pw_gid) == -1)
-			err(EXIT_FAILURE, "failed to call setgid");
+		/*
+		 * If there are too many groups specified for some UID, setting
+		 * the groups will fail.  We preserve this condition by
+		 * allocating one more group slot than allowed, as
+		 * getgrouplist() itself is just some getter function and thus
+		 * doesn't (and shouldn't) check the limit, and to allow
+		 * setcred() to actually check for overflow.
+		 */
+		const long ngroups_alloc = sysconf(_SC_NGROUPS_MAX) + 2;
+		gid_t *const groups = malloc(sizeof(*groups) * ngroups_alloc);
+		int ngroups = ngroups_alloc;
+
+		if (groups == NULL)
+			err(EXIT_FAILURE, "cannot allocate memory for groups");
+
+		getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups);
+
+		wcred.sc_gid = wcred.sc_rgid = wcred.sc_svgid = pw->pw_gid;
+		wcred.sc_supp_groups = groups + 1;
+		wcred.sc_supp_groups_nb = ngroups - 1;
+		setcred_flags |= SETCREDF_GID | SETCREDF_RGID | SETCREDF_SVGID |
+		    SETCREDF_SUPP_GROUPS;
 	}
-	if (setuid(pw->pw_uid) == -1)
-		err(EXIT_FAILURE, "failed to call setuid");
+
+	if (setcred(setcred_flags, &wcred, sizeof(wcred)) != 0)
+		err(EXIT_FAILURE, "calling setcred() failed");
+
 	if (*argv == NULL) {
 		const char *sh = getenv("SHELL");
 		if (sh == NULL)