setgid() fails - operation not permitted
15,332
I suspect you're calling setuid
before setgid
. As soon as you call setuid
to change the uid to something other than root, you've forfeited your permission to change the gid to an arbitrary value. You must call setgid
first, then setuid
.
Author by
multiholle
Updated on June 22, 2022Comments
-
multiholle almost 2 years
I created a setuid program in C. The executable looks like this:
-r-s-r-s--- 1 root users 13073 Jun 15 21:56 server
I execute the program as
userA/users
and try to set the uid/gid touserB/otherUsers
.setgid()
fails with Operation not permitted.userA
is not part ofotherUsers
How can I change the effective gid?
[EDIT] Here is a small summary of what I did. My C program, executed as userA, sets uid and gid to userB and creates a file. Not as expected, the file belongs to the group root, because
setgid()
fails.[userA@node uid]$ id uid=11945(userA) gid=544(users) groups=544(users) [userA@node uid]$ id userB uid=11946(userB) gid=10792(otherUsers) groups=10792(otherUsers) [userA@node uid]$ cat uid.c #include <stdio.h> #include <unistd.h> int main() { setuid(11946); setgid(10792); FILE *f = fopen("userB_file", "w"); fclose(f); return 0; } [userA@node uid]$ ls -l uid -r-sr-sr-x 1 root root 7130 Jun 17 14:16 uid [userA@node uid]$ ./uid [userA@node uid]$ ls -l userB_file -rw-r--r-- 1 userB root 0 Jun 17 14:19 userB_file
-
multiholle almost 12 yearsThis is as obvious as simple! Damn, you're so right. I changed the order and of course, it works! Thanks. btw: I added my original C program in the question.
-
Bemipefe over 6 yearsIt is actually not so obvious. It is not reported in the man page of setgid and neither in the man page of setuid.
-
R.. GitHub STOP HELPING ICE over 6 years@Bemipefe: It should be obvious as a consequence of the permission model that you can't change your group id to anything you want when you're a normal unprivileged user.
-
Bemipefe over 6 years@R.. I was referring to the fact that the setgid function must be called before the setuid function. This rule applies also to processes wich run as root user.
-
R.. GitHub STOP HELPING ICE over 6 years@Bemipefe: That "rule" is just a consequence of the fact that only root can change gid to arbitrary groups. After calling
setuid
you're no longer root.