From 3b7e5ccc6a8fbd9da28696a3e98a648883a33af2 Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@FreeBSD.org>
Date: Fri, 31 Aug 2001 16:26:37 +0000
Subject: [PATCH] SECURITY: Drop `setgid kmem' bit as early as possible.

---
 sbin/ccdconfig/ccdconfig.c | 2 ++
 usr.bin/fstat/fstat.c      | 1 +
 usr.bin/netstat/main.c     | 1 +
 usr.bin/vmstat/vmstat.c    | 1 +
 usr.sbin/pstat/pstat.c     | 1 +
 usr.sbin/trpt/trpt.c       | 1 +
 6 files changed, 7 insertions(+)

diff --git a/sbin/ccdconfig/ccdconfig.c b/sbin/ccdconfig/ccdconfig.c
index aea08be77eeb..85103b1aa3f5 100644
--- a/sbin/ccdconfig/ccdconfig.c
+++ b/sbin/ccdconfig/ccdconfig.c
@@ -511,6 +511,8 @@ dump_ccd(argc, argv)
 		warnx("can't open kvm: %s", errbuf);
 		return (1);
 	}
+	setegid(getgid());
+	setgid(getgid());
 
 	if (kvm_nlist(kd, nl))
 		KVM_ABORT(kd, "ccd-related symbols not available");
diff --git a/usr.bin/fstat/fstat.c b/usr.bin/fstat/fstat.c
index 96be7061ba0c..5ee9feb7dab3 100644
--- a/usr.bin/fstat/fstat.c
+++ b/usr.bin/fstat/fstat.c
@@ -236,6 +236,7 @@ main(argc, argv)
 
 	if ((kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf)) == NULL)
 		errx(1, "%s", buf);
+	setgid(getgid());
 #ifdef notdef
 	if (kvm_nlist(kd, nl) != 0)
 		errx(1, "no namelist: %s", kvm_geterr(kd));
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index 4f373d1161e2..30dfaa8040dd 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -664,6 +664,7 @@ kread(u_long addr, char *buf, int size)
 		 * XXX.
 		 */
 		kvmd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf);
+		setgid(getgid());
 		if (kvmd != NULL) {
 			if (kvm_nlist(kvmd, nl) < 0) {
 				if(nlistf)
diff --git a/usr.bin/vmstat/vmstat.c b/usr.bin/vmstat/vmstat.c
index 9da1759e2091..f48c9187ecb3 100644
--- a/usr.bin/vmstat/vmstat.c
+++ b/usr.bin/vmstat/vmstat.c
@@ -241,6 +241,7 @@ main(argc, argv)
 	kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, errbuf);
 	if (kd == 0) 
 		errx(1, "kvm_openfiles: %s", errbuf);
+	setgid(getgid());
 
 	if ((c = kvm_nlist(kd, namelist)) != 0) {
 		if (c > 0) {
diff --git a/usr.sbin/pstat/pstat.c b/usr.sbin/pstat/pstat.c
index 595f48a4816c..a63584241887 100644
--- a/usr.sbin/pstat/pstat.c
+++ b/usr.sbin/pstat/pstat.c
@@ -291,6 +291,7 @@ main(argc, argv)
 
 	if ((kd = kvm_openfiles(nlistf, memf, NULL, O_RDONLY, buf)) == 0)
 		errx(1, "kvm_openfiles: %s", buf);
+	(void)setgid(getgid());
 	if ((ret = kvm_nlist(kd, nl)) != 0) {
 		if (ret == -1)
 			errx(1, "kvm_nlist: %s", kvm_geterr(kd));
diff --git a/usr.sbin/trpt/trpt.c b/usr.sbin/trpt/trpt.c
index aacd75dade8b..98fd673c04b2 100644
--- a/usr.sbin/trpt/trpt.c
+++ b/usr.sbin/trpt/trpt.c
@@ -164,6 +164,7 @@ main(argc, argv)
 		errx(1, "%s: no namelist", system);
 	if ((memf = open(core, O_RDONLY)) < 0)
 		err(2, "%s", core);
+	setgid(getgid());
 	if (kflag)
 		errx(1, "can't do core files yet");
 	(void)klseek(memf, (off_t)nl[N_TCP_DEBX].n_value, L_SET);