setgid() fails - operation not permitted

multiholle picture multiholle · Jun 16, 2012 · Viewed 13.5k times · Source

I created a setuid program in C. The executable looks like this:

-r-s-r-s--- 1 root users 13073 Jun 15 21:56 server

I execute the program as userA/users and try to set the uid/gid to userB/otherUsers. setgid() fails with Operation not permitted. userA is not part of otherUsers How can I change the effective gid?


[EDIT] Here is a small summary of what I did. My C program, executed as userA, sets uid and gid to userB and creates a file. Not as expected, the file belongs to the group root, because setgid() fails.

[userA@node uid]$ id
uid=11945(userA) gid=544(users) groups=544(users)
[userA@node uid]$ id userB
uid=11946(userB) gid=10792(otherUsers) groups=10792(otherUsers)
[userA@node uid]$ cat uid.c 
#include <stdio.h>
#include <unistd.h>

int main() {
  setuid(11946);
  setgid(10792);

FILE *f = fopen("userB_file", "w");
fclose(f);

return 0;
}
[userA@node uid]$ ls -l uid
-r-sr-sr-x 1 root root 7130 Jun 17 14:16 uid
[userA@node uid]$ ./uid 
[userA@node uid]$ ls -l userB_file 
-rw-r--r-- 1 userB root 0 Jun 17 14:19 userB_file

Answer

R.. GitHub STOP HELPING ICE picture R.. GitHub STOP HELPING ICE · Jun 16, 2012

I suspect you're calling setuid before setgid. As soon as you call setuid to change the uid to something other than root, you've forfeited your permission to change the gid to an arbitrary value. You must call setgid first, then setuid.