...
| Code Block | ||
|---|---|---|
| ||
/* Store the privileged ID for later verification */
uid_t privid = geteuid();
/* Code intended to run with elevated privileges */
/* Temporarily drop privileges */
if (seteuid(getuid()) != 0) {
/* Handle error */
}
/* Code intended to run with lower privileges */
if (need_more_privileges) {
/* Restore Privileges */
if (seteuid(privid) != 0) {
/* Handle error */
}
/* Code intended to run with elevated privileges */
}
/* ... */
/* Restore privileges if needed */
if (geteuid() != privid) {
if (seteuid(privid) != 0) {
/* Handle error */
}
}
/* Permanently drop privileges */
if (setuid(getuid()) != 0) {
/* Handle error */
}
if (setuid(0) != -1) {
/* Privileges can be restored, handle error */
}
/*
* Code intended to run with lower privileges;
* attacker cannot regain elevated privileges
*/
|
...
Supplementary Group
...
IDs
A process may have a number of supplementary group IDs in addition to its effective group ID, and the supplementary groups can allow privileged access to filesAny user, including root, may belong to multiple groups; these are handled by supplemental group privileges. The getgroups() function returns an array of which contains the supplementary group IDs and may also contain the effective group ID. The setgroups() function can set the supplementary group IDs , and may also set the effective group ID on some systems. Using setgroups() function can set the array to an arbitrary array, but usually only if the user has root usually requires privileges. While POSIX defines the getgroups() function, it does not define setgroups().
Under normal circumstances setuid() and related calls do not alter the supplemental supplementary group privilegesIDs. However, a setuid-root program can grant itself supplemental group ids alter its supplementary group IDs and then relinquish root privileges, in which case it maintains the supplemental supplementary group idsIDs, but lacks the privilege necessary to relinquish them. Consequently, it is recommended that a program relinquish supplemental supplementary group privileges IDs immediately before relinquishing root privileges.
POS36-C. Observe correct revocation order while relinquishing privileges discusses how to drop supplemental supplementary group privilegesIDs. To ensure that supplemental supplementary group privileges IDs are indeed relinquished, you can use the following eql_sups function:
...