Subject: Re: weird setuid behavior
To: David Laight <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 01/26/2004 03:23:44
[ On Sunday, January 25, 2004 at 20:47:48 (+0000), David Laight wrote: ]
> Subject: Re: weird setuid behavior
> you now try to call setuid(100), the man page clearly states:
> The setuid() function is permitted if the specified ID is equal to the
> real user ID of the process, or if the effective user ID is that of the
> super user.
> So the request fails.
However POISX 2001 says the following about setuid():
If the process does not have appropriate privileges, but uid is
equal to the real user ID or the saved set-user-ID, setuid() shall
set the effective user ID to uid; the real user ID and saved
set-user-ID shall remain unchanged.
and so in the one case Niels hinted at (in his first reply to me),
namely when the state is:
real_uid = 100, effective_uid = 100, saved_uid = 0
i.e. the program is set-user-ID to zero and seteuid(100) has been
called, then a further call to setuid(100) _should_ succeed since the
real_uid is still 100, but in my experiments it doesn't succeed even
though getruid() confirms the value of real_uid.
(of course in my experiments I had to use a set-user-ID:1 binary and
thus had a saved_uid==1, since on my machines if euid==0 then both
setuid(100) and seteuid(100) change all three credentials to 100 right
away and there's no going back :-)
That reminds me: I keep meaning to implement getsuid() so that a
process can examine its own saved_uid....
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <email@example.com>
Planix, Inc. <firstname.lastname@example.org> Secrets of the Weird <email@example.com>