changing the user id in code

I am writing a system that needs to access hardware and therefore must be
run as root. I am unable to have the program change the userid from the
users to 0, root. I have attempted to use both “seteuid(0)” and
“setuid(0)”. These will only successfully complete if I run the program as
root, they fail when I attempt to run them as any other user. Am I missing
something somewhere? Is there a compiler option that I must use? Please
help, because the way the system is setup currently it is not at all secure.

Thanks,

Ross Brantner

Ross Brantner <brantner@nrc.net> wrote:

I am writing a system that needs to access hardware and therefore must be
run as root. I am unable to have the program change the userid from the
users to 0, root. I have attempted to use both “seteuid(0)” and
“setuid(0)”. These will only successfully complete if I run the program as
root, they fail when I attempt to run them as any other user. Am I missing
something somewhere? Is there a compiler option that I must use? Please
help, because the way the system is setup currently it is not at all secure.

This is intended behaviour. Think of the security hole if just any program
run by anyone can do a “setuid(0)” and have it succeed.

Ok, how to make this work? Well, you have to code your program pretty
carefully, and it is probably worth grabbing a Unix book that talks about
uids, euids, and their effects.

The usual method is to make the program owned by root, then set the setuid
bit on the executable so that, when running, it has root privileges.

Then, it should immediately call seteuid(getuid());
This will set the effective userid to the person who ran the program.
Then, before you need root access for something, call seteuid(0), do
the bit that requires root access, then call seteuid(getuid()) again
immediately after.

If the process never again needs root access, it can call setuid(getuid())
to set everything to the uid of the person running the program.

Be careful. Anytime you write a setuid root program, you may be creating
a security hole, carefully audit the code to make sure nothing unexpected
can happen while root privilege is available.

-David

QNX Training Services
dagibbs@qnx.com

I have used this code, which is the example for setuid(), and it will work
properly when run as root but outputs “setuid: operation not permitted” when
run by anyone else. This seems to be as simple as it gets and it doesn’t
work for me. There is no great security risks that can occur in my system
by using this approach, I just don’t want anyone poking around where they
shouldn’t be when they aren’t using the application. Here is the code:

#include <stdio.h>

#include <sys/types.h>

#include <unistd.h>

#include <stdlib.h>

void main()

{

uid_t ouid;


ouid = getuid();

if( setuid( 101 ) == -1 )

{

perror( “setuid” );

exit( EXIT_FAILURE );

}


printf( “userid %d switched to %d\n”, ouid, getuid() );

exit( EXIT_SUCCESS );}

“David Gibbs” <dagibbs@qnx.com> wrote in message
news:9ob00s$hel$1@nntp.qnx.com…

Ross Brantner <> brantner@nrc.net> > wrote:
I am writing a system that needs to access hardware and therefore must
be
run as root. I am unable to have the program change the userid from the
users to 0, root. I have attempted to use both “seteuid(0)” and
“setuid(0)”. These will only successfully complete if I run the program
as
root, they fail when I attempt to run them as any other user. Am I
missing
something somewhere? Is there a compiler option that I must use?
Please
help, because the way the system is setup currently it is not at all
secure.

This is intended behaviour. Think of the security hole if just any
program
run by anyone can do a “setuid(0)” and have it succeed.

Ok, how to make this work? Well, you have to code your program pretty
carefully, and it is probably worth grabbing a Unix book that talks about
uids, euids, and their effects.

The usual method is to make the program owned by root, then set the setuid
bit on the executable so that, when running, it has root privileges.

Then, it should immediately call seteuid(getuid());
This will set the effective userid to the person who ran the program.
Then, before you need root access for something, call seteuid(0), do
the bit that requires root access, then call seteuid(getuid()) again
immediately after.

If the process never again needs root access, it can call setuid(getuid())
to set everything to the uid of the person running the program.

Be careful. Anytime you write a setuid root program, you may be creating
a security hole, carefully audit the code to make sure nothing unexpected
can happen while root privilege is available.

-David

QNX Training Services
dagibbs@qnx.com

Have you done "chmod +s "?

“Ross Brantner” <brantner@nrc.net> wrote in message
news:9ob12f$kej$1@inn.qnx.com…

I have used this code, which is the example for setuid(), and it will work
properly when run as root but outputs “setuid: operation not permitted”
when
run by anyone else. This seems to be as simple as it gets and it doesn’t
work for me. There is no great security risks that can occur in my system
by using this approach, I just don’t want anyone poking around where they
shouldn’t be when they aren’t using the application. Here is the code:

#include <stdio.h

#include <sys/types.h

#include <unistd.h

#include <stdlib.h

void main()

{

uid_t ouid;


ouid = getuid();

if( setuid( 101 ) == -1 )

{

perror( “setuid” );

exit( EXIT_FAILURE );

}


printf( “userid %d switched to %d\n”, ouid, getuid() );

exit( EXIT_SUCCESS );}

“David Gibbs” <> dagibbs@qnx.com> > wrote in message
news:9ob00s$hel$> 1@nntp.qnx.com> …
Ross Brantner <> brantner@nrc.net> > wrote:
I am writing a system that needs to access hardware and therefore must
be
run as root. I am unable to have the program change the userid from
the
users to 0, root. I have attempted to use both “seteuid(0)” and
“setuid(0)”. These will only successfully complete if I run the
program
as
root, they fail when I attempt to run them as any other user. Am I
missing
something somewhere? Is there a compiler option that I must use?
Please
help, because the way the system is setup currently it is not at all
secure.

This is intended behaviour. Think of the security hole if just any
program
run by anyone can do a “setuid(0)” and have it succeed.

Ok, how to make this work? Well, you have to code your program pretty
carefully, and it is probably worth grabbing a Unix book that talks
about
uids, euids, and their effects.

The usual method is to make the program owned by root, then set the
setuid
bit on the executable so that, when running, it has root privileges.

Then, it should immediately call seteuid(getuid());
This will set the effective userid to the person who ran the program.
Then, before you need root access for something, call seteuid(0), do
the bit that requires root access, then call seteuid(getuid()) again
immediately after.

If the process never again needs root access, it can call
setuid(getuid())
to set everything to the uid of the person running the program.

Be careful. Anytime you write a setuid root program, you may be
creating
a security hole, carefully audit the code to make sure nothing
unexpected
can happen while root privilege is available.

-David

QNX Training Services
dagibbs@qnx.com

Mario Charest <mcharest@clipzinformatic.com> wrote:

Have you done "chmod +s "?

Try the following example program to see uid switching.

Compile it as root, and do the chmod that Mario mentioned.


#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>

void main()
{

printf(“at start, uid: %d euid: %d\n”, getuid(), geteuid());

if( seteuid(getuid()) )
perror("euid getuid() ");

printf(“after seteuid getuid, uid: %d euid: %d\n”, getuid(), geteuid());
/* in here you are running as if (effective) uid of person who ran
program */

if( seteuid( 0 ) )
perror(“euid 0”);

printf(“after seteuid 0, uid: %d euid: %d\n”, getuid(), geteuid());
}


-David

QNX Training Services
dagibbs@qnx.com