This is the mail archive of the gdb@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: unable to attach to setuid program that as reverted it privilege

From: "Reynolds, Brandon" <brandon dot reynolds at lmco dot com>
To: pottmi at gmail dot com
Cc: gdb at sourceware dot org
Date: Mon, 14 Apr 2008 09:32:34 -0400
Subject: Re: unable to attach to setuid program that as reverted it privilege

I can't seem to get this to work.

I have a setuid executable with the following code:
-----------------------------------------------------------------------------
    /* keep root capabilities as we transition to the regular user */
    prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 );

    /* switch back to user that ran us */
    setuid( p->pw_uid );
    setgid( p->pw_gid );

    /* drop all privs except CAP_SYS_NICE */
    if (cap_set_proc((cap = cap_from_text( "CAP_SYS_NICE+pe" ))) < 0)
    {
        perror( "cap_set_proc: failed to drop privs, aborting" );
        exit( 1 );
    }
    cap_free(cap);
-----------------------------------------------------------------------------

> cat /proc/sys/kernel/suid_dumpable
2

> uname -a
Linux sgi2 2.6.16.46-0.12-default #1 SMP Thu May 17 14:00:09 UTC 2007 ia64 ia64 ia64 GNU/Linux

FYI, the man 5 proc says:

/proc/sys/fs/suid_dumpable (since Linux 2.6.13)
              The value in this file determines whether core dump files are produced for set-user-ID or otherâ
              wise protected/tainted binaries.  Three different integer values can be specified:

              0 (default) This provides the traditional (pre-Linux 2.6.13) behaviour.  A core dump will not be
              produced for a process which has changed credentials (by calling seteuid(2), setgid(2), or simiâ
              lar,  or  by executing a set-user-ID or set-group-ID program) or whose binary does not have read
              permission enabled.

              1 ("debug") All processes dump core when possible.  The core dump is owned by  the  file  system
              user  ID  of the dumping process and no security is applied.  This is intended for system debugâ
              ging situations only.  Ptrace is unchecked.

              2 ("suidsafe") Any binary which normally would not be dumped (see "0" above) is dumped  readable
              by  root only.  This allows the user to remove the core dump file but not to read it.  For secuâ
              rity reasons core dumps in this mode will not overwrite one another or other files.   This  mode
              is appropriate when administrators are attempting to debug problems in a normal environment.

> This is documented as allowing core files to be created for setuid
> programs.  What I am using it for is to allow gdb run as a non-root
> user to connect to setuid programs that have _permanently_ given up
> their root privilege.  Without suid_dumpable enabled, gdb will fail
> with a EPERM error even tho the target program is no longer running as
> root and can not reacquire root privilege ( a good default behavior ).

What did you mean by "_permanently_"?

-Brandon

Follow-Ups:
- Re: unable to attach to setuid program that as reverted it privilege
  - From: Michael Potter
- Re: unable to attach to setuid program that as reverted it privilege
  - From: Tavis Ormandy

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]