Dropping privileges properly

Dropping privileges properly

Post by Scott Nelso » Wed, 27 Oct 1999 04:00:00



Is there a way to drop supplementary groups?

For example:
        uid=502(scott) gid=502(scott) groups=0(root)

Using setgid doesn't seem to touch them and I can't find a system call
that does.

--
Scott Nelson

 
 
 

Dropping privileges properly

Post by Barry Margoli » Wed, 27 Oct 1999 04:00:00




Quote:>Is there a way to drop supplementary groups?

>For example:
>    uid=502(scott) gid=502(scott) groups=0(root)

>Using setgid doesn't seem to touch them and I can't find a system call
>that does.

Use getgroups(2) and setgroups(2).

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

Dropping privileges properly

Post by Michael Wojc » Wed, 27 Oct 1999 04:00:00



> Is there a way to drop supplementary groups?

> For example:
>    uid=502(scott) gid=502(scott) groups=0(root)

> Using setgid doesn't seem to touch them and I can't find a system call
> that does.

You don't mention your platform.  SVR4, SVID issue 4, BSD 4.3, and
X/Open define setgroups(), which sets the supplementary group list.
It requires root privilege, so you need to do it before dropping
other privileges.

This should probably be in Thamer Al-Herbish's Secure Unix Programming
FAQ; I'll send it along.

--

AAI Development, MERANT                 (block capitals are a company mandate)
Department of English, Miami University

Not the author (with K.Ravichandran and T.Rick Fletcher) of "Mode specific
chemistry of HS + N{_2}O(n,1,0) using stimulated Raman excitation".