Why I can not drop sudo root privileges?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I am debugging a program and not quite sure why I can not drop privileges.



I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.



Basic code to reproduce (golang):



package main

import (
"fmt"
"os"
"strconv"
"syscall"
)

func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)


uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)

gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)

fmt.Printf("uid: %d, gid: %dn", uid, gid)

check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))


func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)




Example output:



$ sudo ./drop-sudo 
uid: 1000, gid: 1000
gid: operation not supported


System info:



$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux









share|improve this question



















  • 1




    I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
    – Stephen Harris
    Sep 16 at 22:49










  • comment out the Setuid line and see if Setgid works.
    – Rui F Ribeiro
    Sep 16 at 22:52











  • @RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
    – user2460234
    Sep 17 at 0:32










  • Yeah, they are, it was just a test.
    – Rui F Ribeiro
    Sep 17 at 0:45














up vote
2
down vote

favorite












I am debugging a program and not quite sure why I can not drop privileges.



I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.



Basic code to reproduce (golang):



package main

import (
"fmt"
"os"
"strconv"
"syscall"
)

func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)


uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)

gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)

fmt.Printf("uid: %d, gid: %dn", uid, gid)

check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))


func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)




Example output:



$ sudo ./drop-sudo 
uid: 1000, gid: 1000
gid: operation not supported


System info:



$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux









share|improve this question



















  • 1




    I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
    – Stephen Harris
    Sep 16 at 22:49










  • comment out the Setuid line and see if Setgid works.
    – Rui F Ribeiro
    Sep 16 at 22:52











  • @RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
    – user2460234
    Sep 17 at 0:32










  • Yeah, they are, it was just a test.
    – Rui F Ribeiro
    Sep 17 at 0:45












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I am debugging a program and not quite sure why I can not drop privileges.



I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.



Basic code to reproduce (golang):



package main

import (
"fmt"
"os"
"strconv"
"syscall"
)

func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)


uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)

gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)

fmt.Printf("uid: %d, gid: %dn", uid, gid)

check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))


func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)




Example output:



$ sudo ./drop-sudo 
uid: 1000, gid: 1000
gid: operation not supported


System info:



$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux









share|improve this question















I am debugging a program and not quite sure why I can not drop privileges.



I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.



Basic code to reproduce (golang):



package main

import (
"fmt"
"os"
"strconv"
"syscall"
)

func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)


uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)

gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)

fmt.Printf("uid: %d, gid: %dn", uid, gid)

check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))


func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)




Example output:



$ sudo ./drop-sudo 
uid: 1000, gid: 1000
gid: operation not supported


System info:



$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux






permissions sudo root system-calls setuid






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 16 at 22:24









Goro

5,89552662




5,89552662










asked Sep 16 at 22:07









user2460234

385




385







  • 1




    I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
    – Stephen Harris
    Sep 16 at 22:49










  • comment out the Setuid line and see if Setgid works.
    – Rui F Ribeiro
    Sep 16 at 22:52











  • @RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
    – user2460234
    Sep 17 at 0:32










  • Yeah, they are, it was just a test.
    – Rui F Ribeiro
    Sep 17 at 0:45












  • 1




    I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
    – Stephen Harris
    Sep 16 at 22:49










  • comment out the Setuid line and see if Setgid works.
    – Rui F Ribeiro
    Sep 16 at 22:52











  • @RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
    – user2460234
    Sep 17 at 0:32










  • Yeah, they are, it was just a test.
    – Rui F Ribeiro
    Sep 17 at 0:45







1




1




I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49




I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49












comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52





comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52













@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32




@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32












Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45




Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45










1 Answer
1






active

oldest

votes

















up vote
3
down vote



accepted










Your programming language simply does not support such things.



It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.



The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.



Further reading



  • Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.

  • Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435





share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f469441%2fwhy-i-can-not-drop-sudo-root-privileges%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    3
    down vote



    accepted










    Your programming language simply does not support such things.



    It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.



    The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.



    Further reading



    • Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.

    • Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435





    share|improve this answer
























      up vote
      3
      down vote



      accepted










      Your programming language simply does not support such things.



      It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.



      The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.



      Further reading



      • Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.

      • Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435





      share|improve this answer






















        up vote
        3
        down vote



        accepted







        up vote
        3
        down vote



        accepted






        Your programming language simply does not support such things.



        It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.



        The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.



        Further reading



        • Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.

        • Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435





        share|improve this answer












        Your programming language simply does not support such things.



        It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.



        The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.



        Further reading



        • Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.

        • Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Sep 17 at 3:34









        JdeBP

        29.9k462137




        29.9k462137



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f469441%2fwhy-i-can-not-drop-sudo-root-privileges%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?