Make sure the filesystem you put your suid binary on wasn't mounted with nosuid
or any other similar options. Put your binary in /bin or /usr/bin or /sbin
(etc.) and try again.
Ken Hendrickson
-Original Message-
From: owner-b...@openbsd.org [mailto:owner-b...@openbsd.org] On Behalf Of Mark
Dittmer
Sent: Monday, September 23, 2013 2:17 PM
To: bugs@openbsd.org
Subject: SUID Bit does not set effective user-id
I know that OpenBSD has striven to limit the number of setuid binaries in
its suite of software for security reasons. However, I am not under the
impression that the SUID Bit no longer affects the effective user-id when
the binary is run -- this would mean that the bit does nothing, and even
the few setuid programs left in OpenBSD would not work correctly.
I encountered this bug using a fresh install of OpenBSD 5.3 as a guest OS
on Parallels for Mac:
$ uname -a
OpenBSD openbsd.localdomain 5.3 GENERIC#53 amd64
To my surprise, a binary file owned by root with its SUID bit set runs with
UIDs as if the SUID was not set. That is, when UID 1000 runs such a
program, the program starts in state:
real_uid, effective_uid, saved_uid = 1000, 1000, 1000
and not in state:
real_uid, effective_uid, saved_uid = 1000, 0, 0
as expected.
Here are the details regarding how I found the issue:
I have written an interactive C program for evaluating setuid behaviour in
different Unix systems. The program is compiled using:
gcc -o setuid_min.bin setuid_min.c
The program lives in a subdirectory of UID 1000's home directory, and the
sudo command is used to change ownership and SUID; then the program is run
and I enter uid to report the real, effective, and saved UIDs of the
process:
$ sudo chown root:staff setuid_min.bin
$ ls -l | grep 'setuid_min\.bin$'
-rwxr-xr-x 1 root staff [...] setuid_min.bin
$ sudo chmod a+s setuid_min.bin
$ ls -l | grep 'setuid_min\.bin$'
-rwsr-sr-x 1 root staff [...] setuid_min.bin
$ ./setuid_min.bin
uid
1000 1000 1000 some_pid
exit
$
Note that some_pid above is the pid of the setuid_min.bin process. The
program reports the real UID, effective UID, and saved UID by reporting the
output of the following shell command:
ps -ao ruid,uid,svuid,pid | grep '[ ]my_pid$'
where my_pid is the pid is reported by getpid().
As far as I understand, the program should be reporting 1000 0 0
some_pid, and not 1000 1000 1000 some_pid.
Sincerely,
Mark Dittmer
[demime 1.01d removed an attachment of type text/x-csrc which had a name of
setuid_min.c]