git: 49f31b5e0ca7 - main - netstat: strip the binary of sgid
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 20 Apr 2025 18:19:05 UTC
The branch main has been updated by kevans:
URL: https://cgit.FreeBSD.org/src/commit/?id=49f31b5e0ca7a335b35dbaec92769e4c7237a85e
commit 49f31b5e0ca7a335b35dbaec92769e4c7237a85e
Author: Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2025-04-20 18:18:40 +0000
Commit: Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2025-04-20 18:18:44 +0000
netstat: strip the binary of sgid
Everything in the live path seems to use sysctls these days, with kvm
only being used for pulling information from core dumps. Strip the
binary of /dev/{k,}mem access to reduce the surface area with access
to kmem.
Reviewed by: glebius, markj
Differential Revision: https://reviews.freebsd.org/D47210
---
usr.bin/netstat/Makefile | 2 --
usr.bin/netstat/main.c | 14 ++------------
2 files changed, 2 insertions(+), 14 deletions(-)
diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile
index 742de485a6b5..121911b8a18b 100644
--- a/usr.bin/netstat/Makefile
+++ b/usr.bin/netstat/Makefile
@@ -50,8 +50,6 @@ CFLAGS+=-DSDP
CFLAGS+=-DPF
.endif
-BINGRP= kmem
-BINMODE=2555
LIBADD= kvm memstat xo util
.if ${MK_NETGRAPH_SUPPORT} != "no"
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index 4275ea7821df..e8f657006982 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -455,17 +455,10 @@ main(int argc, char *argv[])
}
#endif
- /*
- * Discard setgid privileges if not the running kernel so that bad
- * guys can't print interesting stuff from kernel memory.
- */
live = (nlistf == NULL && memf == NULL);
- if (!live) {
- if (setgid(getgid()) != 0)
- xo_err(EX_OSERR, "setgid");
- /* Load all necessary kvm symbols */
+ /* Load all necessary kvm symbols */
+ if (!live)
kresolve_list(nl);
- }
if (xflag && Tflag)
xo_errx(EX_USAGE, "-x and -T are incompatible, pick one.");
@@ -739,9 +732,6 @@ kvmd_init(void)
return (0);
kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, errbuf);
- if (setgid(getgid()) != 0)
- xo_err(EX_OSERR, "setgid");
-
if (kvmd == NULL) {
xo_warnx("kvm not available: %s", errbuf);
return (-1);