11 files changed, 241 insertions, 66 deletions
diff --git a/lib/libc/gen/Symbol.map b/lib/libc/gen/Symbol.map
index 26f638568efc..494b65bc5cc1 100644
--- a/lib/libc/gen/Symbol.map
+++ b/lib/libc/gen/Symbol.map
@@ -193,7 +193,6 @@ FBSD_1.0 {
 	__isinff;
 	__isinfl;
 	isatty;
-	initgroups;
 	jrand48;
 	lcong48;
 	ldexp;
@@ -462,6 +461,7 @@ FBSD_1.8 {
 	fdscandir_b;
 	fts_open_b;
 	glob_b;
+	initgroups;
 	inotify_add_watch;
 	inotify_init;
 	inotify_init1;
diff --git a/lib/libc/gen/fts-compat.c b/lib/libc/gen/fts-compat.c
index f87cabf085f7..62a1e0a81f62 100644
--- a/lib/libc/gen/fts-compat.c
+++ b/lib/libc/gen/fts-compat.c
@@ -44,9 +44,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-#include "gen-compat.h"
 #include "fts-compat.h"
 #include "un-namespace.h"
+#include "gen-compat.h"
 
 #include "gen-private.h"
 
diff --git a/lib/libc/gen/fts-compat11.c b/lib/libc/gen/fts-compat11.c
index 0351ce5ac690..5abb378f5f08 100644
--- a/lib/libc/gen/fts-compat11.c
+++ b/lib/libc/gen/fts-compat11.c
@@ -43,9 +43,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-#include "gen-compat.h"
 #include "fts-compat11.h"
 #include "un-namespace.h"
+#include "gen-compat.h"
 
 #include "gen-private.h"
 
diff --git a/lib/libc/gen/fts.3 b/lib/libc/gen/fts.3
index ee558b892c8c..b937607b48e0 100644
--- a/lib/libc/gen/fts.3
+++ b/lib/libc/gen/fts.3
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 30, 2025
+.Dd October 1, 2025
 .Dt FTS 3
 .Os
 .Sh NAME
@@ -376,7 +376,44 @@ The
 .Fa fts_name
 field is always
 .Dv NUL Ns -terminated .
-.Sh FTS_OPEN
+.Ss Thread Safety
+The
+.Nm
+functions can safely be used in multi-threaded programs provided no
+two threads access the same
+.Vt FTS
+or
+.Vt FTSENT
+structure simultaneously.
+However, unless the
+.Dv FTS_NOCHDIR
+flag was passed to
+.Fn fts_open
+or
+.Fn fts_open_b ,
+calls to
+.Fn fts_read
+and
+.Fn fts_children
+may change the current working directory, which will affect all
+threads.
+Conversely, changing the current working directory either during or
+between calls to
+.Fn fts_read
+or
+.Fn fts_children
+(even in a single-thread program) may cause
+.Nm
+to malfunction unless the
+.Dv FTS_NOCHDIR
+flag was passed to
+.Fn fts_open
+or
+.Fn fts_open_b
+and all paths in
+.Va path_argv
+were absolute.
+.Ss Fn fts_open
 The
 .Fn fts_open
 function takes a pointer to an array of character pointers naming one
@@ -545,7 +582,7 @@ the directory traversal order is in the order listed in
 .Fa path_argv
 for the root paths, and in the order listed in the directory for
 everything else.
-.Sh FTS_OPEN_B
+.Ss Fn fts_open_b
 The
 .Fn fts_open_b
 function is identical to
@@ -554,7 +591,7 @@ except that it takes a block pointer instead of a function pointer.
 The block is copied before
 .Fn fts_open_b
 returns, so the original can safely go out of scope or be released.
-.Sh FTS_READ
+.Ss Fn fts_read
 The
 .Fn fts_read
 function returns a pointer to an
@@ -605,7 +642,7 @@ after the
 structure has been returned by the function
 .Fn fts_read
 in post-order.
-.Sh FTS_CHILDREN
+.Ss Fn fts_children
 The
 .Fn fts_children
 function returns a pointer to an
@@ -679,7 +716,7 @@ and
 .Fa fts_namelen
 fields.
 .El
-.Sh FTS_SET
+.Ss Fn fts_set
 The function
 .Fn fts_set
 allows the user application to determine further processing for the
@@ -749,7 +786,7 @@ The file may be one of those most recently returned by either
 or
 .Fn fts_read .
 .El
-.Sh FTS_CLOSE
+.Ss Fn fts_close
 The
 .Fn fts_close
 function closes a file hierarchy stream
diff --git a/lib/libc/gen/gen-compat.h b/lib/libc/gen/gen-compat.h
index 08e80ede6b6e..19b9addb4321 100644
--- a/lib/libc/gen/gen-compat.h
+++ b/lib/libc/gen/gen-compat.h
@@ -40,16 +40,50 @@ struct freebsd11_statfs;
 struct freebsd11_dirent *freebsd11_readdir(DIR *);
 int	freebsd11_readdir_r(DIR *, struct freebsd11_dirent *,
 	    struct freebsd11_dirent **);
-int	freebsd11_stat(const char *, struct freebsd11_stat *);
-int	freebsd11_lstat(const char *, struct freebsd11_stat *);
-int	freebsd11_fstat(int, struct freebsd11_stat *);
-int	freebsd11_fstatat(int, const char *, struct freebsd11_stat *, int);
 
-int	freebsd11_statfs(const char *, struct freebsd11_statfs *);
-int	freebsd11_getfsstat(struct freebsd11_statfs *, long, int);
 int	freebsd11_getmntinfo(struct freebsd11_statfs **, int);
 
 char	*freebsd11_devname(__uint32_t dev, __mode_t type);
-char	*freebsd11_devname_r(__uint32_t dev, __mode_t type, char *buf, int len);
+char	*freebsd11_devname_r(__uint32_t dev, __mode_t type, char *buf,
+	    int len);
+
+/*
+ * We want freebsd11_fstat in C source to result in resolution to
+ * - fstat@FBSD_1.0 for libc.so (but we do not need the _definition_
+ *   of this fstat, it is provided by libsys.so which we want to use).
+ * - freebsd11_fstat for libc.a (since if we make it fstat@FBSD_1.0
+ *   for libc.a, then final linkage into static object ignores version
+ *   and would reference fstat, which is the current syscall, not the
+ *   compat syscall). libc.a provides the freebsd11_fstat implementation.
+ *   Note that freebsd11_fstat from libc.a is not used for anything, but
+ *   we make it correct nonetheless, just in case it would.
+ * This is arranged by COMPAT_SYSCALL, and libc can just use freebsd11_fstat.
+ */
+#ifdef PIC
+#define	COMPAT_SYSCALL(rtype, fun, args, sym, ver)			\
+    rtype fun args; __sym_compat(sym, fun, ver);
+#else
+#define	COMPAT_SYSCALL(rtype, fun, args, sym, ver)			\
+    rtype fun args;
+#endif
+
+COMPAT_SYSCALL(int, freebsd11_stat, (const char *, struct freebsd11_stat *),
+    stat, FBSD_1.0);
+COMPAT_SYSCALL(int, freebsd11_lstat, (const char *, struct freebsd11_stat *),
+    lstat, FBSD_1.0);
+COMPAT_SYSCALL(int, freebsd11_fstat, (int, struct freebsd11_stat *),
+    fstat, FBSD_1.0);
+COMPAT_SYSCALL(int, freebsd11_fstatat, (int, const char *,
+    struct freebsd11_stat *, int), fstatat, FBSD_1.1);
+
+COMPAT_SYSCALL(int, freebsd11_statfs, (const char *,
+    struct freebsd11_statfs *), statfs, FBSD_1.0);
+COMPAT_SYSCALL(int, freebsd11_getfsstat, (struct freebsd11_statfs *, long,
+    int), getfsstat, FBSD_1.0);
+
+COMPAT_SYSCALL(int, freebsd14_setgroups, (int gidsize, const __gid_t *gidset),
+    setgroups, FBSD_1.0);
+
+#undef COMPAT_SYSCALL
 
 #endif /* _GEN_COMPAT_H_ */
diff --git a/lib/libc/gen/getgrouplist.3 b/lib/libc/gen/getgrouplist.3
index e9a980f99751..e3939fc2481a 100644
--- a/lib/libc/gen/getgrouplist.3
+++ b/lib/libc/gen/getgrouplist.3
@@ -1,5 +1,13 @@
+.\"-
+.\" SPDX-License-Identifier: BSD-3-Clause
+.\"
 .\" Copyright (c) 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
+.\" Copyright (c) 2025 The FreeBSD Foundation
+.\"
+.\" Portions of this documentation were written by Olivier Certner
+.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
+.\" Foundation.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -25,12 +33,12 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 26, 2014
+.Dd August 29, 2025
 .Dt GETGROUPLIST 3
 .Os
 .Sh NAME
 .Nm getgrouplist
-.Nd calculate group access list
+.Nd produce a user's effective group list
 .Sh LIBRARY
 .Lb libc
 .Sh SYNOPSIS
@@ -40,16 +48,16 @@
 .Sh DESCRIPTION
 The
 .Fn getgrouplist
-function reads through the group file and calculates
-the group access list for the user specified in
-.Fa name .
-The
+function reads through the group database to retrieve the supplementary groups
+for the user specified in
+.Fa name ,
+and returns the effective group list, whose first group is the value of
+.Fa basegid
+and the others are the retrieved supplementary groups.
 .Fa basegid
-is automatically included in the groups list.
-Typically this value is given as
-the group number from the password file.
+typically is the user's group number from the password database.
 .Pp
-The resulting group list is returned in the array pointed to by
+The effective group list is returned in the array pointed to by
 .Fa groups .
 The caller specifies the size of the
 .Fa groups
@@ -70,6 +78,7 @@ Here, the group array will be filled with as many groups as will fit.
 group membership list
 .El
 .Sh SEE ALSO
+.Xr setcred 2 ,
 .Xr setgroups 2 ,
 .Xr initgroups 3
 .Sh HISTORY
diff --git a/lib/libc/gen/getgrouplist.c b/lib/libc/gen/getgrouplist.c
index 5bd06bc5121f..9c57b7031336 100644
--- a/lib/libc/gen/getgrouplist.c
+++ b/lib/libc/gen/getgrouplist.c
@@ -29,13 +29,8 @@
  * SUCH DAMAGE.
  */
 
-/*
- * get credential
- */
 #include <sys/types.h>
 
-#include <grp.h>
-#include <string.h>
 #include <unistd.h>
 #include <ssp/ssp.h>
 
@@ -46,4 +41,3 @@ __ssp_real(getgrouplist)(const char *uname, gid_t agroup, gid_t *groups, int *gr
 {
 	return __getgroupmembership(uname, agroup, groups, *grpcnt, grpcnt);
 }
-
diff --git a/lib/libc/gen/initgroups.3 b/lib/libc/gen/initgroups.3
index 03bd07494fc9..4f538fb180ec 100644
--- a/lib/libc/gen/initgroups.3
+++ b/lib/libc/gen/initgroups.3
@@ -1,5 +1,13 @@
+.\"-
+.\" SPDX-License-Identifier: BSD-3-Clause
+.\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
+.\" Copyright (c) 2025 The FreeBSD Foundation
+.\"
+.\" Portions of this documentation were written by Olivier Certner
+.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
+.\" Foundation.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -25,12 +33,12 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd October 26, 2014
+.Dd September 17, 2025
 .Dt INITGROUPS 3
 .Os
 .Sh NAME
 .Nm initgroups
-.Nd initialize group access list
+.Nd initialize supplementary groups as per the group database
 .Sh LIBRARY
 .Lb libc
 .Sh SYNOPSIS
@@ -40,19 +48,18 @@
 .Sh DESCRIPTION
 The
 .Fn initgroups
-function
-uses the
-.Xr getgrouplist 3
-function to calculate the group access list for the user
-specified in
+function initializes the current process' supplementary groups as prescribed by
+its arguments and the system's group database.
+.Pp
+It first uses the
+.Fn getgrouplist
+function to compute a list of groups containing the passed
+.Fa basegid ,
+which typically is the user's initial numerical group ID from the password
+database, and the supplementary groups in the group database for the user named
 .Fa name .
-This group list is then setup for the current process using
-.Xr setgroups 2 .
-The
-.Fa basegid
-is automatically included in the groups list.
-Typically this value is given as
-the group number from the password file.
+It then installs this list as the current process' supplementary groups using
+.Fn setgroups .
 .Sh RETURN VALUES
 .Rv -std initgroups
 .Sh ERRORS
@@ -60,7 +67,7 @@ The
 .Fn initgroups
 function may fail and set
 .Va errno
-for any of the errors specified for the library function
+to any of the errors specified for the library function
 .Xr setgroups 2 .
 It may also return:
 .Bl -tag -width Er
@@ -77,3 +84,67 @@ The
 .Fn initgroups
 function appeared in
 .Bx 4.2 .
+.Pp
+The
+.Fn initgroups
+function changed semantics in
+.Fx 15 ,
+following that of
+.Xr setgroups 2
+in the same release.
+Before that, it would also set the effective group ID to
+.Fa basegid ,
+and would not include the latter in the supplementary groups except before
+.Fx 8 .
+Its current behavior in these respects is known to be compatible with that of
+the following systems up to the specified versions that are current at time of
+this writing:
+.Bl -dash -width "-" -compact
+.It
+Linux (up to 6.6) with the GNU libc (up to 2.42)
+.It
+.Nx 1.1 and greater (up to 10)
+.It
+.Ox (up to 7.7)
+.It
+Systems based on illumos (up to August 2025 sources)
+.El
+.Sh SECURITY CONSIDERATIONS
+As
+.Fa basegid
+is typically the user's initial numerical group ID, to which the current
+process' effective group ID is generally initialized, processes using functions
+to change their effective group ID
+.Pq via Xr setgid 2 or similar
+or that are spawned from executables with the set-group-ID mode bit set will not
+be able to relinquish the access rights deriving from being a member of
+.Fa basegid ,
+as these functions do not change the supplementary groups.
+.Pp
+This behavior is generally desirable in order to paper over the difference of
+treatment between the effective group and supplementary ones in this situation,
+as they are all in the end indiscriminately used in traditional UNIX
+discretionary access checks.
+It blends well with the practice of allocating each user its own private group,
+as processes launched from a set-group-ID executable keep the same user and
+consistently stay also in the same user's group.
+Finally, it was also chosen for compatibility with other systems
+.Po
+see the
+.Sx HISTORY
+section
+.Pc .
+.Pp
+This convention of including
+.Fa basegid
+in the supplementary groups is however only enforced by the
+.Fn initgroups
+function, and not by the
+.Xr setgroups 2
+system call, so applications expressly wanting to include in the supplementary
+groups only those specified by the group database can themselves call
+.Fn getgrouplist
+and then
+.Fn setgroups
+on the result with the first element skipped
+.Pq see Xr getgrouplist 3 .
diff --git a/lib/libc/gen/initgroups.c b/lib/libc/gen/initgroups.c
index b6697dd7ed8f..a1a7d92250e2 100644
--- a/lib/libc/gen/initgroups.c
+++ b/lib/libc/gen/initgroups.c
@@ -3,6 +3,11 @@
  *
  * Copyright (c) 1983, 1993
  *	The Regents of the University of California.  All rights reserved.
+ * Copyright (c) 2025 The FreeBSD Foundation
+ *
+ * Portions of this software were developed by Olivier Certner
+ * <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
+ * Foundation.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -29,34 +34,52 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/param.h>
+/* For __sym_compat(). */
+#include <sys/cdefs.h>
 
-#include "namespace.h"
-#include <err.h>
-#include "un-namespace.h"
 #include <errno.h>
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 
-int
-initgroups(const char *uname, gid_t agroup)
+/* For freebsd14_setgroups(). */
+#include "gen-compat.h"
+
+static int
+initgroups_impl(const char *uname, gid_t agroup,
+    int (*setgroups)(int, const gid_t *))
 {
-	int ngroups, ret;
-	long ngroups_max;
 	gid_t *groups;
+	long ngroups_max;
+	int ngroups, ret;
 
 	/*
-	 * Provide space for one group more than possible to allow
-	 * setgroups to fail and set errno.
+	 * Provide space for one group more than possible to allow setgroups()
+	 * to fail and set 'errno' in case we get back more than {NGROUPS_MAX} +
+	 * 1 groups.
 	 */
 	ngroups_max = sysconf(_SC_NGROUPS_MAX) + 2;
-	if ((groups = malloc(sizeof(*groups) * ngroups_max)) == NULL)
-		return (ENOMEM);
+	groups = malloc(sizeof(*groups) * ngroups_max);
+	if (groups == NULL)
+		return (-1); /* malloc() set 'errno'. */
 
 	ngroups = (int)ngroups_max;
-	getgrouplist(uname, agroup, groups, &ngroups);
-	ret = setgroups(ngroups, groups);
+	(void)getgrouplist(uname, agroup, groups, &ngroups);
+	ret = (*setgroups)(ngroups, groups);
+
 	free(groups);
-	return (ret);
+	return (ret); /* setgroups() set 'errno'. */
 }
+
+int
+initgroups(const char *uname, gid_t agroup)
+{
+	return (initgroups_impl(uname, agroup, setgroups));
+}
+
+int
+freebsd14_initgroups(const char *uname, gid_t agroup)
+{
+	return (initgroups_impl(uname, agroup, freebsd14_setgroups));
+}
+
+__sym_compat(initgroups, freebsd14_initgroups, FBSD_1.0);
diff --git a/lib/libc/gen/psignal.3 b/lib/libc/gen/psignal.3
index 098b7b02a9b9..bf6a99b4b113 100644
--- a/lib/libc/gen/psignal.3
+++ b/lib/libc/gen/psignal.3
@@ -25,7 +25,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd May 10, 2025
+.Dd September 23, 2025
 .Dt PSIGNAL 3
 .Os
 .Sh NAME
@@ -141,6 +141,13 @@ The name in
 can be either the name of the signal, with or without the
 .Dq SIG
 prefix, or a decimal number.
+.Sh RETURN VALUES
+The
+.Fn sig2str
+and
+.Fn str2sig
+return 0 on success and -1 on translation failure.
+In the latter case the memory to store the translation result is left intact.
 .Sh SEE ALSO
 .Xr sigaction 2 ,
 .Xr perror 3 ,
diff --git a/lib/libc/gen/sysconf.c b/lib/libc/gen/sysconf.c
index 66562d0e29f0..b5b732eed05d 100644
--- a/lib/libc/gen/sysconf.c
+++ b/lib/libc/gen/sysconf.c
@@ -51,7 +51,7 @@
 #include "un-namespace.h"
 
 #include "../stdlib/atexit.h"
-#include "tzdir.h"		/* from ../../../contrib/tzcode/stdtime */
+#include "tzdir.h"		/* from ../../../contrib/tzcode */
 #include "libc_private.h"
 
 #define	_PATH_ZONEINFO	TZDIR	/* from tzfile.h */