Geek Answers Handbook

Is it wrong to use seteuid to temporarily remove root privileges

I read from some books that seteuid along with euid and saved UID can be used to temporarily remove root privileges. The point is this:

  • set euid to non-root.
  • do things that do not require root privileges.
  • set euid to root again (this works because root is still the stored UID).

I think this is not true. During step 2, some malicious code may also call seteuid for root, so this method of removing root privileges does not prevent code from evading root root privileges. Is my analysis correct? If so, why can I use seteuid-on-saved-UID?

+2
source share
2 answers

Your concern that malicious code may also restore the effective UID for a stored UID is legitimate. If this bothers you, perhaps you should not use the setuid root program in the first place. (LD_PRELOAD and other similar things are generally dangerous, they are also limited when the program runs with setuid privileges.)

Often, however, the mechanism is used in a forked child, where the child executes some other process without elevated privileges, since the stored UID will not be saved by the running process. If the malicious code succeeds in capturing before exec() , you still have problems. After exec() , the malicious code only has real UID privileges, and the user could do everything the malicious code did.

+3
source

Setuid has drawbacks in general, due to the possibility of escalating privileges without authentication. Even the concept of root privilege is a bit outdated. Most platforms have updated methods for obtaining additional privileges, whether from the shell with "sudo" on unix and "pfexec" on Solaris, for example.

In addition, they typically have finer-grained controls, for which the privileges they require are exacerbated. Using setuid, whether it’s all or not, but with Solaris RBAC, for example, the environment provides methods for determining the exact privileges (s) you need, usually at a lower level, such as opening files, reading directories, etc.

In general, I think that now you should avoid setuid for anything and use newer APIs.

0
source

More articles:


All Articles