Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not setgroups() on FreeBSD #257

Closed
wants to merge 1,026 commits into from
Closed

Do not setgroups() on FreeBSD #257

wants to merge 1,026 commits into from

Conversation

kiryanov
Copy link

setgroups() call will fail with EPERM on FreeBSD. It renders --user and --uid options useless.

bol-van added 30 commits March 9, 2024 18:47
bsd remove unneeded reverse rule
a9ed039
tpws: improve debug printing
f418084
blockcheck: change desync_mark
d5ccd42
blockcheck: partial OpenBSD support
b54f856
bsd remove old info
9e8eff5
bsd remove old info
aae2b6f
blockcheck: macos support
353d34a
blockcheck: separate LINKLOCAL and LOCALHOST
f892b62
fix incoming connbytes range
2f9c69b
blockcheck: use socks mode for tpws tests
44f9878
blockcheck: workaround localhost firewalled hosts
1ba31e7
blockcheck: pfsense workarounds
57c9742
bsd: use not diverted filter for incoming traffic also
8385394
blockcheck: correct make command line for OpenBSD and MacOS
cad3dc3
blockcheck: use USER_AGENT for http
c91833f
blockcheck: test QUIC
b05a18a
blockcheck: optimize fw scheme, enable udp ipfrag tests
1030588
move udp to nft POSTNAT scheme
becd566
move udp to nft POSTNAT scheme
aa4c3c6
nftables_notes: more notes
a77ce95
blockcheck: do not run ipfrag on OpenBSD
59c30d9
blockcheck: fix comment
ff224f7
syndata desync mode
1481087
syndata desync mode
684869e
blockcheck: more strategies
205d17d
nfqws: do not perform syndata desync if TCP fast open
f8e6302
blockcheck: add vars to change ports
c8ef7a3
readme: more syndata info
3558e7c
install_easy: keenetic warning
cac587b
tpws: fix crash when tampering is applied without remote end
d82c298
bol-van and others added 23 commits July 16, 2024 13:40
remove bad file
0d3b7b6
fix minor regression
b44c697
nfqws: autohostlist fail counter reset on non-RST
2ae426c
readme: autohostlist fail counter reset
72d2450
tpws: autohostlist reset fail counter on success
9fcd8f8
@Lui22
fix typo
bcdcc28
blockcheck: catch HUP to safely handle terminal disconnect
0117374
remove changable files from git
cf1d6f5
remove changeable files from ipset
22a772e
blockcheck: tolerate absense of config and config.default
68061b6
blockcheck: tolerate absense of config and config.default
6ac84b8
winws: --nlm-list fix national characters in adapter name
11f6e07
winws: minor code fix
fdb97e4
winws: fix unicode lengths
745a8ec
install_easy: populate default files in /opt/zapret
9ef4d53
uninstall_easy, install_prereq: fix config/config.default logic
addce67
@bol-van
Merge pull request bol-van#193 from Lui22/patch-1
9cf72b7 
fix typo
ip2net: use restrict pointers in ip6_and
ddc3fe7
windows readme: new info about windows 7 driver signing
25f5d21
windows readme: new info about windows 7 driver signing
f42bd2c
windows readme: new info about windows 7 driver signing
519ba55
windows readme: new info about windows 7 driver signing
c369f11
Do not setgroups() on FreeBSD
4925c3c
@bol-van
Copy link
Owner

bol-van commented Aug 22, 2024
edited
Loading

It doesn't reproduce on my system
What is your BSD version ?
May be you run tpws not as root ? If so then --user and --uid options are not available for obvious reasons. They will cause error

@kiryanov
Copy link
Author

14.1. I run it from root as a daemon, it drops privileges with no issues, but a call to setgroups fails.
PS: setgroups invocation differs between linux and freebsd, in particular freebsd needs a primary group to be specified twice in the list of groups, maybe that’s the issue. I can do some more testing in a week or two.

@bol-van
Copy link
Owner

bol-van commented Aug 22, 2024

the only call to setgroups is
setgroups(0,NULL);
it's intended to drop all supplimentary groups

@kiryanov
Copy link
Author

kiryanov commented Sep 1, 2024

So I have conducted quite some testing and I definitely could not make it work with setgroups() on FreeBSD 14.1 even using the FreeBSD semantics and passing the primary gid as the first member of the groups array.
Maybe instead of removing the call just make the error non-fatal? Most of the code I have looked at just prints a warning if setgroups() call fails.

@bol-van
Copy link
Owner

bol-van commented Sep 2, 2024

may be you share your test code ?
i cant reproduce what you talk about

@bol-van bol-van closed this Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kiryanov @bol-van @hufrea @Lui22