1

Is it possible - for a privileged process - to change the GID of another process. I know that there is the setgroups() system call that allows a process to change it's own GID. However, I want to do this from 'outside' the process (and after the PAM stack was processed). I already saw this post, but there was no real answer to the problem.

Are there any reasons for not changing the GID after PAM traversal other than there might be problems with opened resources like file descriptors? I understand that opened files would still use the old GID after the change.

PraMiD
  • 11
  • Most likely the process to be changed must also be privileged, because it's the one that would execute the system call. – A.B Jul 27 '20 at 18:25
  • This is true, if the process changes its own GID. But what I am trying to do is changing the GID of an arbitrary process from some other process on the system. – PraMiD Jul 27 '20 at 20:31
  • All access decisions, from the shared libraries loaded by ld.so to files read/written by the process, must be re-evaluated with the new GID. What if the new GID doesn't have access to a file the process has been writing? Undo the writes? – waltinator Jul 27 '20 at 20:33
  • I know that this is a problem. However, as far as I know, usually Linux only checks file access when we open a file. If the permissions change afterwards, the kernel won't care about until the file is closed and opened again. Additionally, this is also a problem if a process drops its own privileges after opening a file, isn't it? – PraMiD Jul 27 '20 at 20:41
  • @waltinator Actually that's not an issue at all. Processes are allowed to read/write to a file they have no permissions to as long as they have an open FD. Permissions are only applied when a process attempts to open a file (with read / write / execute permissions). They have no effect after that. – Philip Couling Jul 28 '20 at 09:44
  • @PhilipCouling no, as I want to change the groups/permissions of the process and not move it to a different process group. As far as I know - the GID if a process is independent of its process group after process creation. Thus, changing the GID of process B which is in the same process group as process A should ot affect the GID of A. Is this correct? – PraMiD Jul 28 '20 at 09:51
  • @PraMiD Apologies. I completely misread. I guess I need more coffee :-/. However I suspect the answer may be the same: that no it's not possible except by means of ptrace. – Philip Couling Jul 28 '20 at 10:44
  • @PhilipCouling Thanks, for the reply. I already assumed this.. Then I have to come up with a different solution – PraMiD Jul 28 '20 at 11:42
  • @AdminBee "no, as I want to change the groups/permissions of the process and not move it to a different process group" – PraMiD Jul 28 '20 at 12:08

0 Answers0