5

Suppose I change some user settings like its initial login group or add it to a new group. I now can do su user and work with these new settings. But all the previously running processes will still have the same permissions as before.

How can I force a specific running process to re-read /etc/passwd and /etc/group to reinitialize its user and group settings, without terminating any activity it was doing? I've tried attaching to the process with gdb and do print setuid(MY_USER_ID), but despite the result was 0 (i.e. success), the process still remained with the same data (checked on bash running groups to see whether additional group has appeared).

Gilles 'SO- stop being evil'
  • 829,060
Ruslan
  • 3,370

3 Answers3

2

Very interesting attempt. Actually, process's supplementary groups (defined in /etc/group) are set by setgroups system call. It requires CAP_SETGID privilege or being root.

So you can do like this:

# id
uid=0(root) gid=0(root) groups=0(root)

# gdb -q id
Reading symbols from id...(no debugging symbols found)...done.
(gdb) b getgroups
Breakpoint 1 at 0x401990
(gdb) run
Starting program: /usr/bin/id 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, getgroups () at ../sysdeps/unix/syscall-template.S:81
81  ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) call setgroups(5, {1, 2, 3, 4, 5})
$1 = 0
(gdb) d 1
(gdb) c
Continuing.
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),5(tty)
[Inferior 1 (process 8059) exited normally]
(gdb)
yaegashi
  • 12,326
  • But this wouldn't work for a non-root process, right? Does a process have to become root first to reinit its groups? – Ruslan Jun 10 '15 at 04:51
  • @Ruslan Yes, therefore you need to start another session for group changes to take effect, and /usr/bin/newgrp is a setuid command. – yaegashi Jun 10 '15 at 05:09
1

Seems like a rather pointless exercise.

Target process not only may not have all rights necessary to switch credentials, it may have its uid/gid stored somewhere and actively used, so a surprise credential change may actually break things.

There are various entities which know who owns them - files, sysv ipc.

So you would need to /stop/ all target processes and updated all possible places.

But some processes may be blocked in an uninterruptible manner in the kernel - now what?

For toy purposes, you would need a kernel module changing credentials for processes, but even that cannot easily deal with blocked processes.

Or in other words: what are you really trying to accomplish and why?

employee of the month
  • 209
  • Actually what I want to accomplish doesn't depend on what the process does with its uid/gid etc. I'm just trying to grant/deny it some permission from now on, but not having to stop the process, which may be in the middle of something (not in disk sleep anyway) or whatever. – Ruslan Jun 10 '15 at 09:09
  • In that case you want to investigate LSM modules instead. – employee of the month Jun 12 '15 at 10:12
0

Yup, I also encounter this issue frequently. This is a Linux kernel defect (which can pose some data security concerns), thus, no user-level programs can do it. So I have explicitly made a kernel-module program for doing this.

#include <linux/cred.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/pid.h>
#include <linux/pid_namespace.h>
#include <linux/printk.h>
#include <linux/sched.h>
#include <linux/uidgid.h>

static int arg_pid=0;
static int arg_gid=0;
static char *arg_act="add";


module_param(arg_pid, int, 0);
MODULE_PARM_DESC(arg_pid, "PID of the process");
module_param(arg_gid, int, 0);
MODULE_PARM_DESC(arg_gid, "GID of the group to add to PID's supplimentary groups");
module_param(arg_act, charp, 0);
MODULE_PARM_DESC(arg_act, "action to perform: add/remove/list/query");


struct pid pid_struct = NULL;
struct task_struct task = NULL;
struct cred real_cd = NULL;
struct cred effe_cd = NULL;
struct group_info gi = NULL;
struct group_info new_gi = NULL;


bool query(int gid, struct group_info *gi){
    for(int x=0; x<gi->ngroups; ++x)
        if(gid==gi->gid[x].val) return true;
    return false;
}


int init_module(void) {
    if(arg_pid==0){
        pr_info("Error: Usage: insmod supgroup.ko arg_pid=## arg_gid=## (arg_act='add/remove/list/query') && rmmod supgroup\n");
        return 0;
    }
    pid_struct = find_get_pid(arg_pid);
    if(pid_struct==NULL){
        pr_info("Error: find_get_pid() failed\n");
        return 0;
    }
    task = pid_task(pid_struct, PIDTYPE_PID);
    if(task==NULL){
        pr_info("Error: pid_task() failed\n");
        return 0;
    }
    if(task->real_cred==NULL){
        pr_info("Error: task->real_cred == NULL\n");
        return 0;
    }
    gi = task->real_cred->group_info;
    if(gi==NULL){
        pr_info("Error: task->real_cred->group_info == NULL\n");
        return 0;
    }


if(!strcmp(arg_act, &quot;add&quot;)){
    if(query(arg_gid, gi)){
        pr_info(&quot;GID %d is already in PID %d's supplementary group list\n&quot;, arg_gid, arg_pid);
        return 0;
    }
    new_gi = groups_alloc(gi-&gt;ngroups+1);
    if(new_gi==NULL){
        pr_info(&quot;Error: groups_alloc() failed, out of kernel memory?\n&quot;);
        return 0;
    }
    for(int x=0; x&lt;gi-&gt;ngroups; ++x)
        new_gi-&gt;gid[x] = gi-&gt;gid[x];
    new_gi-&gt;gid[gi-&gt;ngroups].val = arg_gid;
    groups_sort(new_gi);

    // forcefully set group_info
    get_cred((const struct cred *)new_gi);
    *(struct group_info**)(&amp;task-&gt;real_cred-&gt;group_info) = new_gi;
    *(struct group_info**)(&amp;task-&gt;cred-&gt;group_info) = new_gi;

    pr_info(&quot;Added GID %d to PID %d's supplementary groups\n&quot;, arg_gid, arg_pid);
}else if(!strcmp(arg_act, &quot;remove&quot;)){
    if(!query(arg_gid, gi)){
        pr_info(&quot;GID %d is not in PID %d's supplementary group list\n&quot;, arg_gid, arg_pid);
        return 0;
    }
    new_gi = groups_alloc(gi-&gt;ngroups-1);
    if(new_gi==NULL){
        pr_info(&quot;Error: groups_alloc() failed, out of kernel memory?\n&quot;);
        return 0;
    }
    for(int x=0,y=0; x&lt;gi-&gt;ngroups; ++x)
        if(gi-&gt;gid[x].val != arg_gid){
            new_gi-&gt;gid[y] = gi-&gt;gid[x];
            y++;
        }

    // forcefully set group_info
    get_cred((const struct cred *)new_gi);
    *(struct group_info**)(&amp;task-&gt;real_cred-&gt;group_info) = new_gi;
    *(struct group_info**)(&amp;task-&gt;cred-&gt;group_info) = new_gi;

    pr_info(&quot;Removed GID %d from PID %d's supplementary groups\n&quot;, arg_gid, arg_pid);
}else if(!strcmp(arg_act, &quot;list&quot;)){
    pr_info(&quot;Listing PID %d's supplementary groups' GIDs: &quot;, arg_pid);
    for(int x=0; x&lt;gi-&gt;ngroups; ++x)
        pr_info(&quot;%d &quot;, gi-&gt;gid[x].val);
    pr_info(&quot;Done\n&quot;);
}else if(!strcmp(arg_act, &quot;query&quot;)){
    pr_info(&quot;GID %d is %s PID %d's supplementary group list\n&quot;, arg_gid, query(arg_gid, gi)?&quot;in&quot;:&quot;not in&quot;, arg_pid);
}

return 0;



}


void cleanup_module(void){}
MODULE_LICENSE("GPL");

Checkout the detailed usage at my Github repo (https://github.com/xuancong84/supgroup). This is useful for Linux system administrators.

xuancong84
  • 140