Using SUID bit to drop privileges

privilegesSecuritysetuid

So this is a description of the system I'm working on :

a "manager" process spawns all the other applications.
The manager application runs as root user.
so now, any process that it spawns also inherit root user privileges.

The third point is clearly makes my application (let's call it 'player') a security risk so one solution would be to create a separate user and group, say 'worker' and then spawn the 'player' process as that user.

The specific implementation is as follows :

chown the binary (player.out) to the worker user and group chown worker:worker player.out
set the SUID bit on it with chmod a+s player.out.
- this ensures that the process is started with (atleast) it's EUID set to 'worker'.
inside the application main use setregid() and setreuid to set the RUID to the same value as the EUID :
```
if(setregid(getegid(), getegid()) != 0) {}
if(setreuid(geteuid(), geteuid()) != 0) {}
```

My question is in two parts :

Processes with SUID bit set are usually owned by root and are called setuid-applications to denote (possibly) that their permissions are elevated to root user irrespective of which user invoked the program.
- is there any special name for binaries that use the SUID bit to automatically drop priveleges?
Is there any other, better way to ensure that the 'player' application drops priveleges?

Edit : I should clarify that I have no control over the "manager" process that spawns the other processes. I only have control over my player application.

Best Answer

As you correctly state a SUID bit, sets the effective user-id of the new process to the owner of the program file being run. There's no concept of raising or lowering privileges. Often the user to which one "suids" is root, but it can just as legitimately be any other, and doesn't really change the concept of SUID, when you choose another, apart from some users have access to certain resources. However the root user is a little bit special, and the man page for setuid, explains the subtle differences. I don't think there is a special name for changing to a non-root user, and I have never associated suid meaning going up in privilege, just changing user.
Since you are developing the master yourself which runs as root it can setuid to any user after forking but before exec-ing the new process, I dont see that suid bit has to be used on executable at all, and incidently if you don't, then if any-old user ran the player, since executable is not suid, they wouldn't be able to run it correctly since setuid will fail if they were not root. For me this seems like better security, than using suid bits on executable files.

--- edit 1

So your manager (running as real and effective uid=0) starts player and you code/control player (not manager). If you do nothing special, then player will run with real+effective uid=0 and you want to prevent this.

You could just switch uid in player, no SUID bits on player, no need.

Root is user 0

The key thing is the user ID 0. There are many places in the kernel that check the user ID of the calling process and grant permission to do something only if the user ID is 0.

The user name is irrelevant; the kernel doesn't even know about user names.

Android's permission mechanism is identical at the kernel level but completely different at the application level. Android has a root user (UID 0), just like any other system based on a Linux kernel. Android doesn't have user accounts though, and on most setups doesn't allow the user (as in the human operating and owning the device) to perform actions as the root user. A “rooted” Android is a setup that does allow the device owner/user to perform actions as root.

How setuid works

A setuid executable runs as the user who owns the executable. For example, su is setuid and owned by root, so when any user runs it, the process running su runs as the root user. The job of su is to verify that the user that calls it is allowed to use the root account, to run the specified command (or a shell if no command is specified) if this verification succeeds, and to exit if this verification fails. For example, su might ask the user to prove that they know the root password.

In more detail, a process has three user IDs: the effective UID, which is used for security checks; the real UID, which is used in a few privilege checks but is mainly useful as a backup of the original user ID, and the saved user ID which allows a process to temporarily switch its effective UID to the real user ID and then go back to the former effective UID (this is useful e.g. when a setuid program needs to access a file as the original user). Running a setuid executable sets the effective UID to the owner of executable and retains the real UID.

Running a setuid executable (and similar mechanisms, e.g. setgid) is the only way to elevate the privileges of a process. Pretty much everything else can only decrease the privileges of a process.

Beyond traditional Unix

Until now I described traditional Unix systems. All of this is true on a modern Linux system, but Linux brings several additional complications.

Linux has a capability system. Remember how I said that the kernel has many checks where only processes running as user ID 0 are allowed? In fact, each check gets its own capability (well, not quite, some checks use the same capability). For example, there's a capability for accessing raw network sockets, and another capability for rebooting the system. Each process has a set of capabilities along side its users and groups. The process passes the check if it is running as user 0 or if it has the capability that corresponds to the check. A process that requires a specific privilege can run as a non-root user but with the requisite capability; this limits the impact if the process has a security hole. An executable can be setcap to one or more capabilities: this is similar to setuid, but works on the process's capability set instead of the process's user ID. For example, ping only needs raw network sockets, so it can be setcap CAP_NET_RAW instead of setuid root.

Linux has several security modules, the best known being SELinux. Security modules introduce additional security checks, which can apply even to processes running as root. For example, it's possible (not easy!) to set up SELinux so as to run a process as user ID 0 but with so many restrictions that it can't actually do anything.

Linux has user namespaces. Inside the kernel, a user is in fact not just a user ID, but a pair consisting of a user ID and a namespace. Namespaces form a hierarchy: a child namespace refines permissions within its parent. The all-powerful user is user 0 in the root namespace. User 0 in a namespace has powers only inside that namespace. For example, user 0 in a user namespace can impersonate any user of that namespace; but from the outside all the processes in that namespace run as the same user.

Best Answer

Related Solutions

Files – Difference Between Owner/Root and RUID/EUID

What exactly differentiates the root user from every other user

Root is user 0

How setuid works

Beyond traditional Unix

Related Question