setreuid call fails to re-establish process permissions

Question

I am a bit confused with setreuid.

Scenario: A process runs as normal user (id: cateof) but for a very short fraction of time needs to be run as root. I have to elevate permissions to root from cateof and then back to normal user. My first thought was that nesting my "root call" between a setreuid(0, 0); and a setreuid(ruid, euid); would be enough, but I was wrong. The only way to go back to normal user is to call setreuid(ruid, euid) twice in a raw after the "root call".

Here is the code:

int main(...) {
    //check the permission, that the program is setuid
    //become normal user 
    ruid = getuid ();
    euid = geteuid ();
    setreuid(ruid, euid); 
    ...
    setreuid(0, 0);
    root_action();
    setreuid(ruid, euid); //undo root #1
    setreuid(geteuid(), getuid()); //undo root#2

If I don't call the setreuid(geteuid(), getuid()) at the last line the process keeps running as root. Why do I need to call it twice???

Answer 1

You're first call to setreuid is actually a no-op - it does not drop privileges, you are essentially saying set my real uid to my getuid and my effective uid to my geteuid, which in the case of a setuid app is the same as you obtained.

At the start of a setuid root program run as user bob, then getuid() == bob, geteuid() == root

If you want to drop privileges, then you should probably have called:

setreuid(euid, ruid);

Thad would have set the effective uid to bob and the real uid to rood. Everything done after that point will be as if by the unprivileged user bob, understanding that you have not completely dropped the ability to switch back to root privileges at this point, because you have not wiped out the saved-user-id information.

Obtaining root privileges would be done by:

setreuid(ruid, euid);

Similarly, at the end, when you are re-dropping privileges, you need to do the same:

setreuid(euid, ruid);

i.e. set the effective uid to the id bob. the [answer here][1] is a similar situation, which explains the details a little more concisely.

Generally, when checking this information, a little printerhelper like:

void printids(char *header) {
    uid_t ruid, euid, saveduid;
    getresuid(&ruid, &euid, &saveduid);
    printf("%s ruid=%d euid=%d saveduid=%d\n", header, ruid, euid, saveduid);
}

assists in determining the privileges/uid information at all the steps.

it would be a little simpler to just use seteuid() for the temporary changing of the privileges, rather than the little more heavy handed setreuid(). You can also use the setresuid() call to be more explicit on the setting of the real, effective and saved userid values.

Saving and dropping privileges:

setresuid(ruid, ruid, euid);

Re-obtaining root privileges:

setresuid(euid, euid, -1);

Dropping back to non-root privileges:

setresuid(ruid, ruid, -1);

i.e. we let the saved user-id keep the root information, and manipulate the realuid and euid values toggling between root/non-root