Re: setreuid(2)?

[RVP <rvp%SDF.ORG@localhost>]

On Mon, 7 Nov 2022, Mouse wrote:

> used in new code".  But I must be missing something, because I can't
> see any way to exploit the functionality described there, including the
> saved IDs, to get the effect I want...short of creating an executable

I don't use seteuid(), but, it looks like you can just re-swap the
(uid, euid) in a child binary and regain the parent's privileges.

Compile with and without -DRELINQUISH.

```
cc -o /tmp/x x.c
cc -o /tmp/y y.c
sudo sh -c 'chown root:wheel /tmp/x; chmod 4555 /tmp/x'
/tmp/x
```

---START x.c---
#include <err.h>
#include <stdio.h>
#include <unistd.h>

int
main(int argc, char* argv[])
{
	uid_t uid, euid;

	uid = getuid();
	euid = geteuid();
	if (uid == euid)
		errx(1, "UID == EUID--won't proceed.");
	printf("%s: UID=%d, EUID=%d\n", *argv, uid, euid);

	if (setreuid(euid, uid) != 0)
		err(1, "setreuid(%d, %d) failed", euid, uid);
	printf("%s: UID=%d, EUID=%d\n", *argv, getuid(), geteuid());

#ifdef RELINQUISH
	/*
	 *  Need to do this to safely execute any binary,
	 */
#if defined(__FreeBSD__) || defined(__OpenBSD__)
	/*
	 *  This works only on FreeBSD (13.1-RELEASE-p3) and
	 *  OpenBSD (6.9).
	 */
	if (setuid(uid) != 0)
		err(1, "setuid(%d) failed", uid);
#else
	/*
	 *  On NetBSD (9.99.106), setuid() fails.
	 *  On Linux (5.0.0-38), the call succeeds, but has no effect.
	 *  So, we use setreuid().
	 */
	if (setreuid(uid, uid) != 0)
		err(1, "setreuid(%d, %d) failed", uid, uid);
#endif
#endif
	execl("/tmp/y", "y", NULL);
	err(1, "execl(/tmp/y) failed");
}
---END x.c---

---START y.c---
#include <err.h>
#include <stdio.h>
#include <unistd.h>

int
main(int argc, char* argv[])
{
	uid_t uid, euid;

	uid = getuid();
	euid = geteuid();
	printf("%s: UID=%d, EUID=%d\n", *argv, uid, euid);
	fflush(stdout);

	if (setreuid(uid, uid) != 0)
		err(1, "setreuid(%d, %d) failed", uid, uid);

	printf("%s: UID=%d, EUID=%d\n", *argv, getuid(), geteuid());

	return 0;
}
---END y.c---

-RVP