Home > Archive > Unix Programming > March 2004 > setuid and groups
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Christian 2004-03-30, 1:37 pm |
| Hello,
I have a process running as root, which setuid to the user foo.
Unfortunately, the groups the user foo belongs to are not taken into account
after setuid(), they are still the ones the user root belongs to.
Any idea ?
Christian.
#include <sys/types.h>
#include <unistd.h>
int main() {
system("id>/tmp/before.log");
setuid(500);
system("id>/tmp/after.log");
return 0;
}
before.log :
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),6
(disk),10(wheel),203(dba),204(oinsta
ll),503(informix)
after.log :
uid=500(foo) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),6
(disk),10(wheel),203(dba),204(oinsta
ll),503(informix)
| |
| Pascal Bourguignon 2004-03-30, 2:39 pm |
| "Christian" <cgregoir99@yahoo.com> writes:
> Hello,
>
> I have a process running as root, which setuid to the user foo.
>
> Unfortunately, the groups the user foo belongs to are not taken into account
> after setuid(), they are still the ones the user root belongs to.
>
> Any idea ?
You have to change the group too, with setgid.
You can find the default group for the user with getpwent.
--
__Pascal_Bourguignon__ http://www.informatimago.com/
There is no worse tyranny than to force a man to pay for what he doesn't
want merely because you think it would be good for him.--Robert Heinlein
http://www.theadvocates.org/
| |
| Christian 2004-03-31, 5:39 am |
| "Pascal Bourguignon" <spam@thalassa.informatimago.com> wrote in message
news:87d66uxk86.fsf@thalassa.informatimago.com...
> "Christian" <cgregoir99@yahoo.com> writes:
>
account[color=darkred]
>
> You have to change the group too, with setgid.
> You can find the default group for the user with getpwent.
>
This does not solve the problem. Here is my piece of code :
int main() {
system("id>/tmp/before.log");
setgid(102); /* cilink group */
setuid(500); /* cilink user */
system("id>/tmp/after.log");
return 0;
}
before.log :
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),6
(disk),10(wheel),203(dba),204(oinsta
ll),503(informix)
after.log :
uid=500(cilink) gid=102(cilink)
groups=0(root),1(bin),2(daemon),3(sys),6
(disk),10(wheel),203(dba),204(oinsta
ll),503(informix)
Maybe i didn't make me understood. I want my process to belong to the cilink
user because it belongs itself to the cvs group as specified in /etc/group :
cvs:x:509:cilink
I want my process to have the right to write in a directory which is :
drwxrwxr-x 13 adm cvs 4096 mar 30 17:01 dev-cvs
But running setuid/setgid doesn't modify the groups the process belongs to,
only the uid/gid (it leaves the 'groups' list unchanged).
Instead of what the after.log file shows, I 'd like to have (as given by
running id under the cilink account) :
uid=500(cilink) gid=102(cilink) groups=102(cilink),509(cvs)
so that my process cant write to this directory.
Thanks for your help
Christian
| |
| Barry Margolin 2004-03-31, 5:39 am |
| In article <c4e3oj$jj2$1@reader1.imaginet.fr>,
"Christian" <cgregoir99@yahoo.com> wrote:
> But running setuid/setgid doesn't modify the groups the process belongs to,
> only the uid/gid (it leaves the 'groups' list unchanged).
>
> Instead of what the after.log file shows, I 'd like to have (as given by
> running id under the cilink account) :
> uid=500(cilink) gid=102(cilink) groups=102(cilink),509(cvs)
> so that my process cant write to this directory.
To change the supplementary groups, use setgroups(). You could also use
the library function initgroups() to look up all the groups that the
username belongs to and set them -- this is what the system does when
you login.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
| |
| Richard Kettlewell 2004-03-31, 6:36 am |
| "Christian" <cgregoir99@yahoo.com> writes:
> But running setuid/setgid doesn't modify the groups the process belongs to,
> only the uid/gid (it leaves the 'groups' list unchanged).
Use initgroups.
--
http://www.greenend.org.uk/rjk/
| |
| Pascal Bourguignon 2004-03-31, 7:47 am |
| "Christian" <cgregoir99@yahoo.com> writes:
> after.log :
> uid=500(cilink) gid=102(cilink)
> groups=0(root),1(bin),2(daemon),3(sys),6
(disk),10(wheel),203(dba),204(oinsta
> ll),503(informix)
>
> Maybe i didn't make me understood. I want my process to belong to the cilink
> user because it belongs itself to the cvs group as specified in /etc/group :
> cvs:x:509:cilink
> I want my process to have the right to write in a directory which is :
> drwxrwxr-x 13 adm cvs 4096 mar 30 17:01 dev-cvs
Anyway, changing groups with initgroup as it has been advised won't
help you if you keep setting group to 102(cilink) while still wanting
to be able to write in a directory owned by adm group cvs!
Either you give 777 access rights to this directory, or you set gid to
cvs or you set uid to adm!
--
__Pascal_Bourguignon__ http://www.informatimago.com/
There is no worse tyranny than to force a man to pay for what he doesn't
want merely because you think it would be good for him.--Robert Heinlein
http://www.theadvocates.org/
| |
| Christian 2004-03-31, 9:48 am |
| "Pascal Bourguignon" <spam@thalassa.informatimago.com> wrote in message
news:8765clw83y.fsf@thalassa.informatimago.com...
> "Christian" <cgregoir99@yahoo.com> writes:
groups=0(root),1(bin),2(daemon),3(sys),6
(disk),10(wheel),203(dba),204(oinsta[col
or=darkred]
cilink[color=darkred]
/etc/group :[color=darkred]
>
> Anyway, changing groups with initgroup as it has been advised won't
> help you if you keep setting group to 102(cilink) while still wanting
> to be able to write in a directory owned by adm group cvs!
>
Well, i want my process to be owned by the cilink user because it belongs to
the cvs group which gives write permissions to the directory. Same behaviour
as running "su cilink" on the command line. I can't see what would not help
me.
Anyway, initgroups does exactly what i need. The following code gives me a
process with uid = cilink, gid = cilink and the groups the cilink user
belong to, and among them, cvs, which is fine. And the titi file is
correctly created.
drwxrwxr-x 2 adm cvs 1024 mar 31 15:24 /tmp/dev-cvs
int main() {
FILE *fp;
setgid(102);
initgroups( "cilink", (gid_t) 0);
setuid(500);
system("id>after.log");
fp = fopen("/tmp/dev-cvs/titi","w");
fclose(fp);
return 0;
}
after.log :
uid=500(cilink) gid=102(cilink) groups=0(root),10(wheel),504(cvs)
One wierd thing to me: the root group is listed. When running id under the
cilink account, i get :
uid=500(cilink) gid=102(cilink) groups=102(cilink),10(wheel),504(cvs)
Any idea again ?
Christian
|
|
|
|
|