How to use setuid() from root to become user, with the possibility of becoming root again later?

Question

I'm trying to do the safe thing, and have a program that needs to runs as root to drop its privileges when it doesn't need them. This works well if I chmod my binary with the SUID bit, and make it belong to root, as now I have UID = some user, and EUID = root, so I can use seteuid(0) and seteuid(getuid()) to respectively raise and drop admin rights.

But if I use sudo instead of setting the SUID, then UID == EUID == 0, and so calling seteuid(getuid()) won't have any effect. And I can't just change UID to some value from some random user, as the setuid() man page clearly states that if it is called from a program running as root, one loses the privileges for good, with no hope of getting them back.

So, how do I make my program lose temporarily its privileges when run using sudo?

Do you need to return to the UID of the user who ran `sudo`, or just to a random, less privileged, user? — Douglas Leeder, Feb 16 '10 at 18:52
I'll settle for `nobody`. but if you know a simple way to get the sudo caller, I'm interested. — Florian, Feb 16 '10 at 18:54

score 11 · Accepted Answer · answered Feb 16 '10 at 18:31

11

seteuid(some random uid) to drop privileges, seteuid(0) to get them back, when running as root.

answered Feb 16 '10 at 18:31

Aidan Cully

5,457
24
27

3

Of course - that leaves the problem of getting the original UID of the user who called `sudo` - if the OP needs to go back to that user? – Douglas Leeder Feb 16 '10 at 18:52
Of course, there's a chance that the random UID you switch to just happens to be the sysadmin's UID. – user253751 Sep 25 '16 at 21:09
sudo creates environment variables containing the UID and GID of the calling user. You can switch to "nobody" read the variable and switch to that user. I don't recommend reading environment variables as root. "nobody" is restricted account present on most unix systems. – wheredidthatnamecomefrom Feb 18 '18 at 23:28

score 6 · Answer 2 · answered Feb 16 '10 at 18:48

6

It seems like seteuid(x) should work to drop and re-raise privs...

$ cat > t12.c
#include <stdio.h>
#include <unistd.h>

void p(void) { printf("euid=%4d uid=%4d\n", geteuid(), getuid()); }

int main(void) { p(); seteuid(100); p(); seteuid(0); p(); return 0; }
$ cc -Wall t12.c
$ sudo chown root a.out && sudo chmod 4555 a.out
$ sudo ./a.out
euid=   0 uid=   0
euid= 100 uid=   0
euid=   0 uid=   0
$ ./a.out
euid=   0 uid= 501
euid= 100 uid= 501
euid=   0 uid= 501
$

answered Feb 16 '10 at 18:48

DigitalRoss

143,651
25
248
329

How do you make sure that uid=100 is not in sudoers group? – dashesy Mar 04 '13 at 22:58
That matters only for sudo itself. The only special privilege the sudoers group grants is the ability to use the sudo command. It doesn't make the user id have root access. – wheredidthatnamecomefrom Feb 19 '18 at 02:23

score 3 · Answer 3 · answered Feb 16 '10 at 18:32

3

Not a direct answer, just would like to point you to the idea of privilege separation. Here's a great presentation by OpenBSD founder Theo de Raadt.

answered Feb 16 '10 at 18:32

Nikolai Fetissov

82,306
11
110
171

score 1 · Answer 4 · answered Sep 04 '11 at 21:59

1

Fork() before you drop privileges. Wait in the parent task until the child with reduced privileges is done, then resume in the parent with root.

seteuid is not portable to all unices and has other drawbacks too.

answered Sep 04 '11 at 21:59

Jürgen Strobel

2,200
18
30

How to use setuid() from root to become user, with the possibility of becoming root again later?

4 Answers4