setgid Operation not permitted

0
votes

I have a C program that calls setgid() with the group id of the group "agrp", and it is saying "Operation not permitted" when I try to run it.

The program has the following ls -la listing:

-r-xr-s--x 1 root      agrp      7508 Nov 18 18:48 setgidprogram

What I want, is setgidprogram to be able to access a file that has the owner otheruser and the group agrp, and permissions set to u+rw,g+rw (User and group read/writeable.)

What am I doing wrong? Does setgidprogram HAVE to have the setuid bit set also? (When I tried it, it worked.)

I am running Fedora 19, and I have SELinux disabled.

EDIT

Here is some example code: wrap.c:

#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>
int main(void)
{
        struct group *grp = getgrnam("agrp");
        printf("%d\n",grp->gr_gid);
        if(setgid(grp->gr_gid) != 0)
        {
                printf("%s.\n", strerror(errno));
                return 1;
        }
        execl("/tmp/whoami_script.sh", NULL);
        printf("%s.\n", strerror(errno));
        return 0;
}

/tmp/whoami_script.sh:

#!/usr/bin/bash
id



$ ls -la /tmp/whoami_script.sh wrap
-r-xr-xr-x 1 root agrp   19 Nov 18 19:53 /tmp/whoami_script.sh
$ ./wrap
1234
uid=1000(auser) gid=1000(auser) groups=1000(auser),0(root),10(wheel)
---x--s--x 1 root agrp 7500 Nov 18 19:55 wrap

Is this enough information now?

2
clinuxpermissions
is the filesystem mounted without nosuid? - ensc
I don't think so. Other suid programs are working fine. Plus, this program is sgid not suid. - BenjiWiebe
The update is mildly confusing. It shows a program /tmp/whoami_script.sh that can be run by anyone; a more effective test would give it 550 permissions. However, the output from the code when it is run shows the the SGID-ness of the wrapper program is not taking effect; there is no entry for egid nor any entry for agrp (not even under a different name — don't laugh; I've seen that happen and two entries in /etc/group for GID 1234 with different names both 'work', but ls and id etc only report one of the two names). So, it definitely appears that SGID is not operational for you. - Jonathan Leffler
Note that the mount documentation on Mac OS X says 'nosuid – Do not allow set-user-identifier or set-group-identifier bits to take effect'. It is likely the same on Linux; there is no separate nosgid option. - Jonathan Leffler

2 Answers

1
votes

This code finally worked:

#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>
int main(void)
{
        gid_t g = getegid();
        if(setregid(g, g) != 0)
        {
                printf("Error setting GID: %s.\n", strerror(errno));
        }
        execl("/tmp/whoami_script.sh", "/tmp/whoami_script.sh", NULL);
        printf("Error: %s.\n", strerror(errno));
        return 0;
}

The problem was I was only setting my effective GID, not my real GID. Therefore, when I exec'd, the child process was started with the EGID set to the RGID. So, in my code, I used setregid which worked fine.

1
votes

The original version of the question showed 6550 permission on the file.

If you're not either user root or in group agrp, you need to be able to use the public execute permissions on the program — which are missing. Since it is a binary, you don't need read permission. To fix it:

# chmod o+x setgidprogram

(The # denotes 'as root or via sudo', or equivalent mechanisms.) As it stands, only people who already have the relevant privileges can use the program.

If the program is installed SGID agrp, there is no need for the program to try to do setgid(agrp_gid) internally. The effective GID will be the GID belonging to agrp and the program will be able to access files as any other member of agrp could.

That said, normally you can do a no-op successfully. For example, this code works fine:

#include <stdio.h>
#include <unistd.h>
#include "stderr.h"

int main(int argc, char **argv)
{
    err_setarg0(argv[argc-argc]);

    gid_t gid = getegid();
    if (setgid(gid) != 0)
        err_syserr("Failed to setgid(%d)\n", (int)gid);
    puts("OK");
    return 0;
}

(You just have to accept that the err_*() function do error reporting; the argc-argc trick avoids a warning/error from the compiler about otherwise unused argument argc.)

If you make the program SUID root, then the SGID property doesn't matter much; the program will run with EUID root and that means it can do (almost) anything. If it is SUID root, you should probably be resetting the EUID to the real UID:

setuid(getuid());

before invoking the other program. Otherwise, you're invoking the other program as root, which is likely to be dangerous.

Dissecting POSIX

In his answer, BenjiWiebe states:

The problem was I was only setting my effective GID, not my real GID. Therefore, when I exec'd, the child process was started with the EGID set to the RGID. So, in my code, I used setregid() which worked fine.

Yuck; which system does that? Linux trying to be protective? It is not the way things worked classically on Unix, that's for sure. However, the POSIX standard seems to have wriggle room in the verbiage (for execvp()):

If the ST_NOSUID bit is set for the file system containing the new process image file, then the effective user ID, effective group ID, saved set-user-ID, and saved set-group-ID are unchanged in the new process image. Otherwise, if the set-user-ID mode bit of the new process image file is set, the effective user ID of the new process image shall be set to the user ID of the new process image file. Similarly, if the set-group-ID mode bit of the new process image file is set, the effective group ID of the new process image shall be set to the group ID of the new process image file. The real user ID, real group ID, and supplementary group IDs of the new process image shall remain the same as those of the calling process image. The effective user ID and effective group ID of the new process image shall be saved (as the saved set-user-ID and the saved set-group-ID) for use by setuid().

If I'm parsing that right, then we have a number of scenarios:

  1. ST_NOSUID is set.
  2. ST_NOSUID is not set, but SUID or SGID bit is set on the executable.
  3. ST_NOSUID is not set, but SUID or SGID biy is not set on the executable.

In case 1, it is fairly clearly stated that the EUID and EGID of the exec'd process are the same as in the original process (and if the EUID and RUID are different in the original process, they will be different in the child).

In case 2, if the SUID bit is set on the executable, the EUID will be set to the SUID. Likewise if the SGID bit is set on the executable, the EGID will be set to the SGID. It is not specified what happens if the SUID bit is set, the SGID bit is not set, and the original process has different values for EGID and RGID; nor, conversely, is it specified what happens if the SGID bit is set, the SUID bit is not set, and the original process has different values for EUID and RUID.

Case 3, where neither the SUID nor SGID bit is set on the executable, also seems to be unspecified behaviour.

Classically on Unix systems, the EUID and RUID could be different, and the difference would be inherited across multiple (fork() and) exec() operations if the executable does not override the EUID or EGID with its own SUID or SGID bits. However, it is not clear that the POSIX standard mandates or prohibits this; it seems to be unspecified behaviour. The rationale section provides no guidance on the intentions.

If my reading is correct, then I find it amusing that the ST_NOSUID bit means that if a program is launched by a process that is running SUID, then the program on the 'no SUID' file system will be run with different real and effective UID (RUID and EUID), which seems counter-intuitive. It doesn't matter what the SUID and SGID bits on the executable are set to (so the bits on the executable are ignored), but the inherited values of EUID and RUID are maintained.