setuid on an executable doesn't seem to work

linux process c setuid
pmn picture pmn · Dec 17, 2013 · Viewed 8.2k times · Source

I wrote a small C utility called killSPR to kill the following processes on my RHEL box. The idea is for anyone who logs into this linux box to be able to use this utility to kill the below mentioned processes (which doesn't work - explained below). 

cadmn@rhel /tmp > ps -eaf | grep -v grep | grep " SPR "  
cadmn    5822  5821 99 17:19 ?        00:33:13 SPR 4 cadmn  
cadmn   10466 10465 99 17:25 ?        00:26:34 SPR 4 cadmn  
cadmn   13431 13430 99 17:32 ?        00:19:55 SPR 4 cadmn  
cadmn   17320 17319 99 17:39 ?        00:13:04 SPR 4 cadmn  
cadmn   20589 20588 99 16:50 ?        01:01:30 SPR 4 cadmn  
cadmn   22084 22083 99 17:45 ?        00:06:34 SPR 4 cadmn  
cadmn@rhel /tmp >

This utility is owned by the user cadmn (under which these processes run) and has the setuid flag set on it (shown below).

cadmn@rhel /tmp > ls -l killSPR  
-rwsr-xr-x 1 cadmn cusers 9925 Dec 17 17:51 killSPR  
cadmn@rhel /tmp >

The C code is given below:

/*  
 * Program Name: killSPR.c  
 * Description: A simple program that kills all SPR processes that  
 * run as user cadmn  
 */  
#include <stdio.h>  
int main()  
{  
    char *input;  
    printf("Before you proceed, find out under which ID I'm running. Hit enter when you are done...");  
    fgets(input, 2, stdin);  

    const char *killCmd = "kill -9 $(ps -eaf | grep -v grep | grep \" SPR \" | awk '{print $2}')";  
    system(killCmd);  
    return 0;  
}

A user (pmn) different from cadmn tries to kill the above-mentioned processes with this utility and fails (shown below):

pmn@rhel /tmp > ./killSPR  
Before you proceed, find out under which ID I'm running. Hit enter when you are done...  
sh: line 0: kill: (5822) - Operation not permitted  
sh: line 0: kill: (10466) - Operation not permitted  
sh: line 0: kill: (13431) - Operation not permitted  
sh: line 0: kill: (17320) - Operation not permitted  
sh: line 0: kill: (20589) - Operation not permitted  
sh: line 0: kill: (22084) - Operation not permitted  
pmn@rhel /tmp >

While the user waits to hit enter above, the process killSPR is inspected and is seen to be running as the user cadmn (shown below) despite which killSPR is unable to terminate the processes.

cadmn@rhel /tmp > ps -eaf | grep -v grep | grep killSPR  
cadmn   24851 22918  0 17:51 pts/36   00:00:00 ./killSPR  
cadmn@rhel /tmp >

BTW, none of the main partitions have any nosuid on them

pmn@rhel /tmp > mount | grep nosuid
pmn@rhel /tmp >

The setuid flag on the executable doesn't seem to have the desired effect. What am I missing here? Have I misunderstood how setuid works?

Answer

alvits picture alvits · Dec 19, 2013

First and foremost, setuid bit simply allows a script to set the uid. The script still needs to call setuid() or setreuid() to run in the the real uid or effective uid respectively. Without calling setuid() or setreuid(), the script will still run as the user who invoked the script.

Avoid system and exec as they drop privileges for security reason. You can use kill() to kill the processes.

Check These out.

http://linux.die.net/man/2/setuid

http://man7.org/linux/man-pages/man2/setreuid.2.html

http://man7.org/linux/man-pages/man2/kill.2.html

Related questions

How to make child process die after parent exits?

Suppose I have a process which spawns exactly one child process. Now when the parent process exits for whatever reason (normally or abnormally, by kill, ^C, assert failure or anything else) I want the child process to die. How to …

Read More
Determine programmatically if a program is running

In C, how can I find out programmatically if a process is already running on Linux/Ubuntu to avoid having it start twice? I'm looking for something similar to pidof.

Read More
Process name from its pid in linux

How to get a process name from his pid ? For example I execute cat file1.txt, but I want to figure out that cat command and its arguments since its pid in the system. Is there a struct to determine …

Read More