Group memberships and setuid/setgid processes

grouppermissionssetgidsetuid

Processes which de-escalate privileges via setuid() and setgid() do not seem to inherit the group memberships of the uid/gid they set.

I have a server process that must be executed as root in order to open a privileged port; after that it de-escalates to a specific non-privilleged uid/gid,¹ — e.g., that of user foo (UID 73). User foo is a member of group bar:

> cat /etc/group | grep bar
bar:x:54:foo

Hence if I login as foo, I can read a file /test.txt with these characteristics:

> ls -l /test.txt
-rw-r----- 1 root bar 10 Mar  8 16:22 /test.txt

However, the following C program (compile std=gnu99), when run root:

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>

int main (void) {
    setgid(73);
    setuid(73);
    int fd = open("/test.txt", O_RDONLY);
    fprintf(stderr,"%d\n", fd);
    return 0;
}

Always reports Permission denied. I imagine this has to do with it being a non-login process, but it kind of hamstrings the way permissions are supposed to work.

^{1. Which is often SOP for servers, and I think there must be a way around this as I found a report of someone doing it with apache — apache has been added to the audio group and can apparently then use the sound system. Of course, this likely happens in a fork and not the original process, but in fact the case is the same in my context (it's a child process forked subsequent to the setuid call).}

Best Answer

The problem is that setuid and setgid are not sufficient to give your process all the credentials it needs. The authorizations of a process depend on

its UID
its GID
its supplementary groups
its capabilities.

See man 7 credentials to get a more detailed overview. So, in your case, the problem is that you correctly set the UID and GID, but you don't set the supplementary groups of the process. And group bar has GID 54, no 73 so it is not recognized as a group your process is in.

You should do

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <grp.h>

int main (void) {
    gid_t supplementary_groups[] = {54};

    setgroups(1, supplementary_groups);
    setgid(73);
    setuid(73);
    int fd = open("/test.txt", O_RDONLY);
    fprintf(stderr,"%d\n", fd);
    return 0;
}

Related Solutions

Setuid and Setgid – Understanding Setuid and Setgid Confusion

setuid sets the effective uid euid. setgid set the effective gid egid.

In both cases the callers uids and gids will stay in place. So roughly you can say that you will get that uid/gid in addition to the callers uid and (active) gid.

Some programs can differentiate that very well.

If you log into a system, then su to root and then issue a who am i you will see your "old" account.

su is one of these suid-binaries, that will change the euid.

No output from locate command

The problem was the permissions for / (the root directory) and the clue for finding that was this line from your strace output:

access("/", R_OK|X_OK)                  = -1 EACCES (Permission denied)

You were missing group read permission settings for /. But because you still had x (execute) permission, which allows you to traverse a directory, you could still access all of the files on the filesystem, which is why most everything continued working while those permissions were in effect. The only thing you were not allowed to do is list the contents of /. Most commands don't need to list /, they either use pathnames relative to the current directory or absolute pathnames that access specific well-known directories off the root (like /etc and /var).

For security reasons, locate, even though it has access to a complete inventory of filenames generated by a privileged user, insists on reporting only results that the calling user would be able to find by scanning the whole filesystem from the root. Since you couldn't list /, which makes scanning anything straight from the root a non-starter, locate would report nothing at all.

Best Answer

Related Solutions

Setuid and Setgid – Understanding Setuid and Setgid Confusion

No output from locate command

Related Question