getgroups.2: Clarify, mention ascending order, add SECURITY CONSIDERATIONS

Clarify and be more precise about the behavior of getgroups(2), in
particular with respect to 'gidsetlen'.

Prefer a terminology referring to POSIX terms, i.e., use "supplementary
groups" instead of "group access list".

Say that getgroups(2) reports the supplementary groups in strictly
ascending order and returns the cardinal of the set they form (and
mention this has been the case since FreeBSD 14.3).

Add a new SECURITY CONSIDERATIONS section contrasting the new behavior
after commit 9da2fe96ff ("kern: fix setgroups(2) and getgroups(2) to
match other platforms") with the historical one.

While here, fix some style.

Note for MFC to stable/14: The content will have to be revised as the
new behavior is not in place.  The latter should be mentioned as
upcoming in 15.

Reviewed by:    gbe (older version)
MFC after:      5 days
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D52286
This commit is contained in:
Olivier Certner
2025-08-30 00:43:10 +02:00
parent 66b54c48b2
commit 4be38acc82
+70 -24
View File
@@ -1,5 +1,13 @@
.\"-
.\" SPDX-License-Identifier: BSD-3-Clause
.\"
.\" Copyright (c) 1983, 1991, 1993 .\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved. .\" The Regents of the University of California. All rights reserved.
.\" Copyright (c) 2025 The FreeBSD Foundation
.\"
.\" Portions of this documentation were written by Olivier Certner
.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
.\" Foundation.
.\" .\"
.\" Redistribution and use in source and binary forms, with or without .\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions .\" modification, are permitted provided that the following conditions
@@ -25,12 +33,12 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE. .\" SUCH DAMAGE.
.\" .\"
.Dd August 1, 2025 .Dd September 17, 2025
.Dt GETGROUPS 2 .Dt GETGROUPS 2
.Os .Os
.Sh NAME .Sh NAME
.Nm getgroups .Nm getgroups
.Nd get group access list .Nd get the calling process' supplementary groups
.Sh LIBRARY .Sh LIBRARY
.Lb libc .Lb libc
.Sh SYNOPSIS .Sh SYNOPSIS
@@ -40,36 +48,39 @@
.Sh DESCRIPTION .Sh DESCRIPTION
The The
.Fn getgroups .Fn getgroups
system call system call gets the calling process' supplementary groups and stores them in
gets the current supplementary groups of the user process and stores it in the the
array .Fa gidset
.Fa gidset . array in strictly ascending order.
The The value of
.Fa gidsetlen .Fa gidsetlen
argument indicates the maximum number of entries that may be placed in
indicates the number of entries that may be placed in
.Fa gidset . .Fa gidset .
The .Pp
.Fn getgroups
system call
returns the actual number of groups returned in
.Fa gidset .
As many as {NGROUPS_MAX} values may be returned.
If If
.Fa gidsetlen .Fa gidsetlen
is zero, is zero,
.Fn getgroups .Fn getgroups
returns the number of supplementary group IDs associated with returns the cardinal of the calling process' supplementary groups set and
the calling process without modifying the array pointed to by ignores argument
.Fa gidset . .Fa gidset .
.Pp .Pp
No more than
.Dv {NGROUPS_MAX}
values may ever be returned.
The value of The value of
.Dv {NGROUPS_MAX} .Dv {NGROUPS_MAX}
should be obtained using should be obtained using
.Xr sysconf 3 .Xr sysconf 3
to avoid hard-coding it into the executable. to avoid hard-coding it into the executable.
.Sh RETURN VALUES .Sh RETURN VALUES
A successful call returns the number of groups in the group set. On success, the
.Fn getgroups
system call returns the cardinal of the supplementary groups set.
It always succeeds if argument
.Fa gidsetlen
is zero.
.Pp
A value of -1 indicates that an error occurred, and the error A value of -1 indicates that an error occurred, and the error
code is stored in the global variable code is stored in the global variable
.Va errno . .Va errno .
@@ -81,12 +92,12 @@ are:
.It Bq Er EINVAL .It Bq Er EINVAL
The argument The argument
.Fa gidsetlen .Fa gidsetlen
is smaller than the number of groups in the group set. is smaller than the number of supplementary groups
.Pq but not zero .
.It Bq Er EFAULT .It Bq Er EFAULT
The argument An invalid address was encountered while reading from the
.Fa gidset .Fa gidset
specifies array.
an invalid address.
.El .El
.Sh SEE ALSO .Sh SEE ALSO
.Xr setgroups 2 , .Xr setgroups 2 ,
@@ -96,16 +107,51 @@ an invalid address.
The The
.Fn getgroups .Fn getgroups
system call conforms to system call conforms to
.St -p1003.1-2008 . .St -p1003.1-2008
with the additional properties that supplementary groups are reported in
strictly ascending order and the returned size coincides with the cardinal of
the set.
.Sh HISTORY .Sh HISTORY
The The
.Fn getgroups .Fn getgroups
system call appeared in system call appeared in
.Bx 4.2 . .Bx 4.2 .
.Pp .Pp
Since
.Fx 14.3 ,
the
.Fn getgroups
system call has treated the supplementary groups as a set, reporting them in
strictly ascending order and returning the cardinal of the set.
.Pp
Before Before
.Fx 15.0 , .Fx 15.0 ,
the the
.Fn getgroups .Fn getgroups
system call always returned the effective group ID for the process as the first system call would additionally return the effective group ID as the first
element of the array, before the supplementary groups. element of the array, before the supplementary groups.
.Sh SECURITY CONSIDERATIONS
The
.Fn getgroups
system call gets the supplementary groups set in the
.Fa gidset
array.
In particular, as evoked in
.Sx HISTORY ,
it does not anymore retrieve the effective GID in the first slot of
.Fa gidset .
Programs should not make any assumption about which group is placed in the first
slot of
.Fa gidset
other than it being the supplementary group with smallest GID.
.Pp
The effective GID is present in the supplementary groups set if and only if it
was explicitly set as a supplementary group.
The function
.Fn initgroups
enforces that, while the
.Fn setgroups
system call does not.
Please consult the
.Xr initgroups 3
manual page for the rationale.