From owner-freebsd-hackers@FreeBSD.ORG Sat Nov 28 18:28:05 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DD3B106566B for ; Sat, 28 Nov 2009 18:28:05 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from outgoing03.lava.net (outgoing03.lava.net [IPv6:2001:1888:0:1:202:b3ff:fe1d:6b98]) by mx1.freebsd.org (Postfix) with ESMTP id 08B058FC12 for ; Sat, 28 Nov 2009 18:28:05 +0000 (UTC) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by outgoing03.lava.net (Postfix) with ESMTP id 68436101C1; Sat, 28 Nov 2009 08:28:04 -1000 (HST) Received: by malasada.lava.net (Postfix, from userid 102) id CBB69153882; Sat, 28 Nov 2009 08:28:03 -1000 (HST) Date: Sat, 28 Nov 2009 08:28:03 -1000 From: Clifton Royston To: freebsd-hackers@freebsd.org Message-ID: <20091128182803.GA13793@lava.net> Mail-Followup-To: freebsd-hackers@freebsd.org, Anthony Pankov References: <20091128120018.16D2C10656C7@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091128120018.16D2C10656C7@hub.freebsd.org> User-Agent: Mutt/1.4.2.2i Cc: Anthony Pankov Subject: Re: ucred when euid/egid X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2009 18:28:05 -0000 > Date: Fri, 27 Nov 2009 19:56:59 +0300 > From: Anthony Pankov > Subject: ucred when euid/egid > To: freebsd-hackers@freebsd.org > Message-ID: <15434604890.20091127195659@mail.ru> > Content-Type: text/plain; charset=us-ascii > > Hello, > > I face some misunderstood situation related to the access permissions. > > > There is a program(script) with the suid/sgid (mode 6555): > > r-sr-sr-x fuser:proggroup theprog > > There is a file: > rw-rw---- someone:filegroup thefile > > > User 'fuser' (==program euid) have primary group 'filegroup'(==group, > who can read/write thefile). > > Program try to read(write) thefile and fail with permissions. > > I don't fully understand why. There is no bug; when you use the suid/sgid facility, the program gains the effective user ID and/or the effective GID of the executable. It does *not* gain any gids which the effective user is added to at login. man seteuid for more info. In what you have shown, theprog has neither the same user (fuser vs. someone) nor the same group (proggroup vs. filegroup) as the file you want it to modify. For what you want to do to work correctly, you would need to either make theprog's ownership be: anyuser:filegroup or fuser:proggroup -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services