Comparing effective and real uid/gid is not a proper way to check for
SUID execution:
1. this does not consider file capabilities
2. this check breaks when NO_NEW_PRIVS is used as the Linux kernel
resets effective ids during execve(); this means the check is
false, but the process still has raised capabilities
For more details about the NO_NEW_PRIVS problem, check this post and
the surrounding thread:
https://lore.kernel.org/lkml/
20250509184105.840928-1-max.kellermann@ionos.com/
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
#include <stdarg.h>
#include <string.h>
+#include <sys/auxv.h> // for getauxval()
struct ul_debug_maskname {
const char *name;
} else \
lib ## _debug_mask = mask; \
if (lib ## _debug_mask) { \
- if (getuid() != geteuid() || getgid() != getegid()) { \
+ if (getauxval(AT_SECURE)) { \
lib ## _debug_mask |= __UL_DEBUG_FL_NOADDR; \
fprintf(stderr, "%d: %s: don't print memory addresses (SUID executable).\n", getpid(), # lib); \
} \
#include <sys/syscall.h>
#endif
#include <unistd.h>
+#include <sys/auxv.h> // for getauxval()
#include <sys/types.h>
#include "env.h"
char *safe_getenv(const char *arg)
{
- if ((getuid() != geteuid()) || (getgid() != getegid()))
+ if (getauxval(AT_SECURE))
return NULL;
#ifdef HAVE_PRCTL
if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 0)
#include "match.h"
#include <stdarg.h>
+#include <sys/auxv.h> // for getauxval()
#include <sys/wait.h>
#include "mount-api-utils.h"
struct libmnt_context *mnt_new_context(void)
{
struct libmnt_context *cxt;
- uid_t ruid, euid;
+ uid_t ruid;
cxt = calloc(1, sizeof(*cxt));
if (!cxt)
return NULL;
ruid = getuid();
- euid = geteuid();
mnt_context_reset_status(cxt);
INIT_LIST_HEAD(&cxt->hooksets_datas);
/* if we're really root and aren't running setuid */
- cxt->restricted = (uid_t) 0 == ruid && ruid == euid ? 0 : 1;
+ cxt->restricted = (uid_t) 0 == ruid && !getauxval(AT_SECURE) ? 0 : 1;
cxt->noautofs = 0;
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/auxv.h> // for getauxval()
#include <sys/types.h>
#include <unistd.h>
int broken = 0;
/* real root does not have restrictions */
- if (geteuid() == getuid() && getuid() == 0) {
+ if (!getauxval(AT_SECURE) && getuid() == 0) {
ctl->allow_fullname = ctl->allow_room = ctl->allow_work = ctl->allow_home = 1;
return;
}
#ifdef HAVE_LIBUSER
/* If we're setuid and not really root, disallow the password change. */
- if (geteuid() != getuid() && uid != ctl.pw->pw_uid) {
+ if (getauxval(AT_SECURE) && uid != ctl.pw->pw_uid) {
#else
if (uid != 0 && uid != ctl.pw->pw_uid) {
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/auxv.h> // for getauxval()
#include <sys/types.h>
#include <unistd.h>
/* reality check */
#ifdef HAVE_LIBUSER
/* If we're setuid and not really root, disallow the password change. */
- if (geteuid() != getuid() && uid != pw->pw_uid) {
+ if (getauxval(AT_SECURE) && uid != pw->pw_uid) {
#else
if (uid != 0 && uid != pw->pw_uid) {
#endif
*/
#include <stdio.h>
#include <getopt.h>
+#include <sys/auxv.h> // for getauxval()
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
static int is_not_root(void)
{
const uid_t ruid = getuid();
- const uid_t euid = geteuid();
/* if we're really root and aren't running setuid */
- return (uid_t) 0 == ruid && ruid == euid ? 0 : 1;
+ return (uid_t) 0 == ruid && !getauxval(AT_SECURE) ? 0 : 1;
}
/* Don't rely on PAM and reset the most important limits. */
#include <errno.h>
#include <sys/stat.h>
#include <unistd.h>
+#include <sys/auxv.h> // for getauxval()
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
return -1;
case 0: /* child */
- if (geteuid() != getuid() && drop_permissions() != 0)
+ if (getauxval(AT_SECURE) && drop_permissions() != 0)
exit(EXIT_FAILURE);
cmd[idx++] = "mkswap";
*
*/
+#include <sys/auxv.h> // for getauxval()
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/time.h>
* instead of "wall file".
*/
uid_t uid = getuid();
- if (uid && (uid != geteuid() || getgid() != getegid()))
+ if (uid && getauxval(AT_SECURE))
errx(EXIT_FAILURE, _("will not read %s - use stdin."),
fname);
#include <unistd.h>
#include <stdlib.h>
#include <stdarg.h>
+#include <sys/auxv.h> // for getauxval()
#include <sys/param.h>
#include <ctype.h>
#include <signal.h>
}
va_end(argp);
- if ((geteuid() != getuid() || getegid() != getgid())
+ if (getauxval(AT_SECURE)
&& drop_permissions() != 0)
err(EXIT_FAILURE, _("drop permissions failed"));