Hi guys, I was doing tests today and I finally find why I had some issues when I am using the suid bit.
Apparently, Process.run in some case can’t perform privileged task. I am talking about task like groupadd -R (via chroot)
I did this example:
#Libc functions to deal with SUID and SGID bit
lib LibC
fun seteuid(uid : UidT): Int
fun setegid(uid : UidT): Int
fun getegid : UidT
fun geteuid : UidT
end
def runAsSuperUser(validCondition = true, &)
uid = LibC.geteuid
gid = LibC.getegid
if validCondition
uidResult = LibC.seteuid(0)
gidResult = LibC.setegid(0)
if uidResult.negative? || gidResult.negative?
puts "Setting failure"
end
end
begin
yield
ensure
LibC.seteuid(uid)
LibC.setegid(gid)
end
rescue error
puts error
exit 1
end
runAsSuperUser {
puts LibC.geteuid
puts LibC.getegid
Process.run("/usr/sbin/groupadd",
args: ["-R","/home/fulgurance/Downloads/root","ism"],
input: Process::Redirect::Inherit,
output: Process::Redirect::Inherit,
error: Process::Redirect::Inherit,
shell: false)
}
I got this error at execution time:
[fulgurance@alienware-m17-r3 Downloads]$ ./test
0
0
groupadd: unable to chroot to directory /home/fulgurance/Downloads/root: Operation not permitted
[fulgurance@alienware-m17-r3 Downloads]$
But if I just run the groupadd command in a terminal it work, why ?
The thing strange is if I run the binary chroot via a process, it work. It’s like the access is refused when a binary is in sbin maybe ?