Why I can not drop sudo root privileges?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I am debugging a program and not quite sure why I can not drop privileges.
I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.
Basic code to reproduce (golang):
package main
import (
"fmt"
"os"
"strconv"
"syscall"
)
func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)
uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)
gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)
fmt.Printf("uid: %d, gid: %dn", uid, gid)
check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))
func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)
Example output:
$ sudo ./drop-sudo
uid: 1000, gid: 1000
gid: operation not supported
System info:
$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
permissions sudo root system-calls setuid
edited Sep 16 at 22:24
Goro
5,89552662
asked Sep 16 at 22:07
user2460234
385
add a comment |Â
up vote
2
down vote
favorite
I am debugging a program and not quite sure why I can not drop privileges.
I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.
Basic code to reproduce (golang):
package main
import (
"fmt"
"os"
"strconv"
"syscall"
)
func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)
uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)
gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)
fmt.Printf("uid: %d, gid: %dn", uid, gid)
check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))
func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)
Example output:
$ sudo ./drop-sudo
uid: 1000, gid: 1000
gid: operation not supported
System info:
$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
permissions sudo root system-calls setuid
edited Sep 16 at 22:24
Goro
5,89552662
asked Sep 16 at 22:07
user2460234
385
1
I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49
comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52
@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32
Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I am debugging a program and not quite sure why I can not drop privileges.
I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.
Basic code to reproduce (golang):
package main
import (
"fmt"
"os"
"strconv"
"syscall"
)
func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)
uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)
gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)
fmt.Printf("uid: %d, gid: %dn", uid, gid)
check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))
func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)
Example output:
$ sudo ./drop-sudo
uid: 1000, gid: 1000
gid: operation not supported
System info:
$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
permissions sudo root system-calls setuid
edited Sep 16 at 22:24
Goro
5,89552662
asked Sep 16 at 22:07
user2460234
385
I am debugging a program and not quite sure why I can not drop privileges.
I have root permissions via sudo and I can call setgid/setuid, but the operation [is] is not supported.
Basic code to reproduce (golang):
package main
import (
"fmt"
"os"
"strconv"
"syscall"
)
func main()
if os.Getuid() != 0
fmt.Println("run as root")
os.Exit(1)
uid, err := strconv.Atoi(os.Getenv("SUDO_UID"))
check("", err)
gid, err := strconv.Atoi(os.Getenv("SUDO_GID"))
check("", err)
fmt.Printf("uid: %d, gid: %dn", uid, gid)
check("gid", syscall.Setgid(gid))
check("uid", syscall.Setuid(uid))
func check(message string, err error)
if err != nil
fmt.Printf("%s: %sn", message, err)
os.Exit(1)
Example output:
$ sudo ./drop-sudo
uid: 1000, gid: 1000
gid: operation not supported
System info:
$ uname -a
Linux jmuia 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
permissions sudo root system-calls setuid
permissions sudo root system-calls setuid
edited Sep 16 at 22:24
Goro
5,89552662
asked Sep 16 at 22:07
user2460234
385
edited Sep 16 at 22:24
Goro
5,89552662
asked Sep 16 at 22:07
user2460234
385
edited Sep 16 at 22:24
Goro
5,89552662
edited Sep 16 at 22:24
Goro
5,89552662
edited Sep 16 at 22:24
Goro
5,89552662
5,89552662
asked Sep 16 at 22:07
user2460234
385
asked Sep 16 at 22:07
user2460234
385
asked Sep 16 at 22:07
user2460234
385
385
1
I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49
comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52
@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32
Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45
add a comment |Â
1
I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49
comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52
@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32
Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45
1
1
I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49
I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49
comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52
comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52
@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32
@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32
Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45
Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
accepted
Your programming language simply does not support such things.
It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.
The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.
Further reading
- Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.
- Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435
answered Sep 17 at 3:34
JdeBP
29.9k462137
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
Your programming language simply does not support such things.
It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.
The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.
Further reading
- Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.
- Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435
answered Sep 17 at 3:34
JdeBP
29.9k462137
add a comment |Â
up vote
3
down vote
accepted
Your programming language simply does not support such things.
It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.
The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.
Further reading
- Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.
- Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435
answered Sep 17 at 3:34
JdeBP
29.9k462137
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
Your programming language simply does not support such things.
It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.
The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.
Further reading
- Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.
- Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435
answered Sep 17 at 3:34
JdeBP
29.9k462137
Your programming language simply does not support such things.
It's complex to do this stuff on Linux, because of the architecture of Linux. The C libraries (e.g. GNU and musl) hide this complexity. It continues to be one of the known problems with threads on Linux.
The Go language does not replicate the mechanism of the C libraries. The current implementation of those functions is not a system call, and has not been since 2014.
Further reading
- Jonathan de Boyne Pollard (2010). The known problems with threads on Linux. Frequently Given Answers.
- Michał Derkacz (2011-01-21). syscall: Setuid/Setgid doesn't apply to all threads on Linux. Go bug #1435
answered Sep 17 at 3:34
JdeBP
29.9k462137
answered Sep 17 at 3:34
JdeBP
29.9k462137
answered Sep 17 at 3:34
JdeBP
29.9k462137
answered Sep 17 at 3:34
JdeBP
29.9k462137
29.9k462137
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f469441%2fwhy-i-can-not-drop-sudo-root-privileges%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
I don't know if this ever got fixed, but Setuid/Setgid do not work properly with Go on Linux - github.com/golang/go/issues/1435
– Stephen Harris
Sep 16 at 22:49
comment out the Setuid line and see if Setgid works.
– Rui F Ribeiro
Sep 16 at 22:52
@RuiFRibeiro that doesn't work either; they are in the right order (setgid before setuid).
– user2460234
Sep 17 at 0:32
Yeah, they are, it was just a test.
– Rui F Ribeiro
Sep 17 at 0:45