Subject: Re: weird setuid behavior
To: David Laight <>
From: Greg A. Woods <>
List: tech-kern
Date: 01/26/2004 03:23:44
[ On Sunday, January 25, 2004 at 20:47:48 (+0000), David Laight wrote: ]
> Subject: Re: weird setuid behavior
> you now try to call setuid(100), the man page clearly states:
>   The setuid() function is permitted if the specified ID is equal to the
>   real user ID of the process, or if the effective user ID is that of the
>   super user.
> So the request fails.

However POISX 2001 says the following about setuid():

     If the process does not have appropriate privileges, but uid is
     equal to the real user ID or the saved set-user-ID, setuid() shall
     set the effective user ID to uid; the real user ID and saved
     set-user-ID shall remain unchanged.

and so in the one case Niels hinted at (in his first reply to me),
namely when the state is:

	real_uid = 100, effective_uid = 100, saved_uid = 0

i.e. the program is set-user-ID to zero and seteuid(100) has been
called, then a further call to setuid(100) _should_ succeed since the
real_uid is still 100, but in my experiments it doesn't succeed even
though getruid() confirms the value of real_uid.

(of course in my experiments I had to use a set-user-ID:1 binary and
thus had a saved_uid==1, since on my machines if euid==0 then both
setuid(100) and seteuid(100) change all three credentials to 100 right
away and there's no going back :-)

That reminds me:  I keep meaning to implement getsuid() so that a
process can examine its own saved_uid....

						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <>
Planix, Inc. <>          Secrets of the Weird <>