From 49f31b5e0ca7a335b35dbaec92769e4c7237a85e Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Sun, 20 Apr 2025 13:18:40 -0500 Subject: [PATCH] netstat: strip the binary of sgid Everything in the live path seems to use sysctls these days, with kvm only being used for pulling information from core dumps. Strip the binary of /dev/{k,}mem access to reduce the surface area with access to kmem. Reviewed by: glebius, markj Differential Revision: https://reviews.freebsd.org/D47210 --- usr.bin/netstat/Makefile | 2 -- usr.bin/netstat/main.c | 14 ++------------ 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile index 742de485a6b..121911b8a18 100644 --- a/usr.bin/netstat/Makefile +++ b/usr.bin/netstat/Makefile @@ -50,8 +50,6 @@ CFLAGS+=-DSDP CFLAGS+=-DPF .endif -BINGRP= kmem -BINMODE=2555 LIBADD= kvm memstat xo util .if ${MK_NETGRAPH_SUPPORT} != "no" diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c index 4275ea7821d..e8f65700698 100644 --- a/usr.bin/netstat/main.c +++ b/usr.bin/netstat/main.c @@ -455,17 +455,10 @@ main(int argc, char *argv[]) } #endif - /* - * Discard setgid privileges if not the running kernel so that bad - * guys can't print interesting stuff from kernel memory. - */ live = (nlistf == NULL && memf == NULL); - if (!live) { - if (setgid(getgid()) != 0) - xo_err(EX_OSERR, "setgid"); - /* Load all necessary kvm symbols */ + /* Load all necessary kvm symbols */ + if (!live) kresolve_list(nl); - } if (xflag && Tflag) xo_errx(EX_USAGE, "-x and -T are incompatible, pick one."); @@ -739,9 +732,6 @@ kvmd_init(void) return (0); kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, errbuf); - if (setgid(getgid()) != 0) - xo_err(EX_OSERR, "setgid"); - if (kvmd == NULL) { xo_warnx("kvm not available: %s", errbuf); return (-1);