Using setuid() and absorbing that user's groups

Chagrin has asked for the wisdom of the Perl Monks concerning the following question:

My root user is a member of the following groups (output from "id" command):

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

An unprivileged user is a member of the following groups:

uid=5002(jim) gid=5002(jim) groups=5002(jim),666(software)

My problem is that when I attempt to set the effective UID of my process, in order to execute a command with the same privileges as the unprivileged user, that unprivileged user's group (the "software" group) is not included as an available group. To demonstrate this a short script:

print `id`;

$( = 5002;
$< = 5002;

print `id`;
[download]

Which has an output of:

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
+6(disk),10(wheel)
uid=5002(jim) gid=5002(jim) euid=0(root) egid=0(root) groups=0(root),1
+(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[download]

How do I eliminate the privileged user's secondary groups and, more importantly, replace them with the unprivileged user's secondary groups?

Comment on Using setuid() and absorbing that user's groups Select or Download Code

Replies are listed 'Best First'.
Re: Using setuid() and absorbing that user's groups by haukex (Archbishop) on Jan 13, 2017 at 08:28 UTC
Hi Chagrin, Note that what you're setting with $( is the real gid, not the effective gid. Its doc says: If you are on a machine that supports membership in multiple groups simultaneously, gives a space separated list of groups you are in. ... However, a value assigned to `$(` must be a single number used to set the real gid. The doc for the effective gid, $), says: If you are on a machine that supports membership in multiple groups simultaneously, gives a space separated list of groups you are in. ... Similarly, a value assigned to `$)` must also be a space-separated list of numbers. The first number sets the effective gid, and the rest (if any) are passed to `setgroups()`. A while back I wrote some code that worked well at the time, which changes the effective gid to with one primary and one (!) secondary effective gid. This is an excerpt: `if ( $) !~ /^$WANT_GID\b.*\b$WANT_GRP2\b/ ) { $) = "$WANT_GID $WANT_GRP2"; die "Error: EGID change failed: $!" if $! \|\| $) ne "$WANT_GID $WANT_GRP2"; } warn "After: RUID=$<, EUID=$>, RGID=$(, EGID=$), umask=" .sprintf("%o",umask)."\n";` [download] As for getting the groups of a user on the machine, after a little bit of research it appears you'll have to walk the group entries yourself, something like this perhaps: `use warnings; use strict; use User::pwent; use User::grent; use List::Util qw/any/; my $u = $ENV{USER}; print " primary: ", getpwnam($u)->gid, "\n"; print "seconday: $_\n" for get_sec_grps($u); sub get_sec_grps { my $user = shift; my @sec_grps; endgrent; # reset (?) while (my $g=getgrent) { push @sec_grps, $g->gid if any {$_ eq $user} @{$g->members}; } endgrent; return @sec_grps; }` [download] Hope this helps, -- Hauke D	[reply] [d/l] [select]
Re: Using setuid() and absorbing that user's groups by Anonymous Monk on Jan 13, 2017 at 00:38 UTC
Read the doc of $), assign a space-separated list of GIDs to that variable.	[reply]
Re: Using setuid() and absorbing that user's groups by Chagrin (Initiate) on Jan 13, 2017 at 20:04 UTC
In my head I was expecting that there was some POSIX function that, after changing the uid, would set the groups for you. It's non-intuitive to me to not see the groups change automatically after setting the real uid. Thank you both for setting me on the right path.	[reply]


Just another Perl shrine
	PerlMonks