Super User Can't Change UID?

J

James Gray

Why would the super user not be able to switch UID's?

$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

Tips of TFM I should go R are welcome. :)

James Edward Gray II
 
M

Michel Boaventura

This works on my gentoo without any problem. Try to became root and
try to run to see if it's another problem.
 
J

James Gray

This works on my gentoo without any problem. Try to became root and
try to run to see if it's another problem.

It doesn't seem to work for me that way either:

$ sudo sh
Password:
sh-3.2# ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

James Edward Gray II
 
J

James Gray

Why would the super user not be able to switch UID's?

$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

Another data point on this odd issue: Apple's bundled Ruby (I'm on OS
X) works:

$ sudo /usr/bin/ruby -r etc -e 'Process.uid =
Etc.getpwnam("james").uid'
Password:
$

It's just the Ruby I built that fails. How could I have messed this
up in the build?

James Edward Gray II
 
R

Rob Biedenharn

It doesn't seem to work for me that way either:

$ sudo sh
Password:
sh-3.2# ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

James Edward Gray II


It works for me on Ubuntu and Mac OS X also.

-Rob

Rob Biedenharn http://agileconsultingllc.com
(e-mail address removed)
 
R

Rob Biedenharn

Were you using Apple's bundled Ruby or something you compiled?

James Edward Gray II


Apple's /usr/bin/ruby. (I'd answered before I saw your
clarification.) I also just ran it fine with macruby.

$ sudo macruby -r etc -e 'puts Process.pid,Process.uid; sleep 2;puts
"now"; Process.uid = Etc.getpwnam("rab").uid; puts Process.uid; sleep 2'
Password:
26951
0
now
501

I don't suppose that really helps you much.

-Rob

Rob Biedenharn http://agileconsultingllc.com
(e-mail address removed)
 
J

James Gray

Apple's /usr/bin/ruby. (I'd answered before I saw your
clarification.) I also just ran it fine with macruby.

It also seems to work in my locally compiled 1.9:

$ sudo ruby_dev -r etc -ve 'Process.uid = Etc.getpwnam("james").uid'
Password:
ruby 1.9.1 (2008-12-30 patchlevel-0 revision 21203) [i386-
darwin9.6.0]

James Edward Gray II
 
E

Ezra Zygmuntowicz

Apple's /usr/bin/ruby. (I'd answered before I saw your
clarification.) I also just ran it fine with macruby.

It also seems to work in my locally compiled 1.9:

$ sudo ruby_dev -r etc -ve 'Process.uid = Etc.getpwnam("james").uid'
Password:
ruby 1.9.1 (2008-12-30 patchlevel-0 revision 21203) [i386-
darwin9.6.0]

James Edward Gray II

It fails for me on my self compiled ruby 1.8.6 on osx but the built
in ruby and my gentoo ruby works fine. No clue why.

-Ezra
 
D

Daniel Berger

James said:
Why would the super user not be able to switch UID's?

$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

Tips of TFM I should go R are welcome. :)

I seem to recall that setreuid() is busted on OS X, 10.4.x anyway. I
think it's fixed in 10.5, but I can't confirm.

I know this has come up before. Check the the ruby-core archives.

Regards,

Dan
 
D

Daniel Berger

James said:
Another data point on this odd issue: Apple's bundled Ruby (I'm on OS
X) works:

$ sudo /usr/bin/ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
$

It's just the Ruby I built that fails. How could I have messed this up
in the build?

Are you on 10.4.x?

If I had to guess, I'd bet Apple replaced setreuid() with seteuid(), but
that's a guess.

I've never really understood the way OS X manages users. My own account
is not in /etc/passwd, but shows up in NetInfo.

Regards,

Dan
 
J

James Gray

I seem to recall that setreuid() is busted on OS X, 10.4.x anyway. I
think it's fixed in 10.5, but I can't confirm.

I'm on Mac OS X 10.5.6.
I know this has come up before. Check the the ruby-core archives.

I did a few searches, but didn't find a match. I did find old posts
about how Process.uid= can't handle negative UID's which is another
issue I'm fighting, but nothing about this issue.

If I had to guess, I'd bet Apple replaced setreuid() with seteuid(),
but that's a guess.

If that were the case, would it maybe be possible to switch users
using Apple's alternate API?

Unfortunately, this issue is a big snag that's preventing us from
shipping an application, so I've got to find some workaround. I've
considered trying to exec() my program adding su/sudo to switch the
user as a possible option. Would that work? I need to switch both
the user and group.

James Edward Gray II
 
E

Ezra Zygmuntowicz

I'm on Mac OS X 10.5.6.


I did a few searches, but didn't find a match. I did find old posts
about how Process.uid= can't handle negative UID's which is another
issue I'm fighting, but nothing about this issue.



If that were the case, would it maybe be possible to switch users
using Apple's alternate API?

Unfortunately, this issue is a big snag that's preventing us from
shipping an application, so I've got to find some workaround. I've
considered trying to exec() my program adding su/sudo to switch the
user as a possible option. Would that work? I need to switch both
the user and group.

James Edward Gray II




Does something like this not work for you?

def _change_privilege(user, group=user)
uid, gid = Process.euid, Process.egid

begin
target_uid = Etc.getpwnam(user).uid
rescue ArgumentError => e
return false
end

begin
target_gid = Etc.getgrnam(group).gid
rescue ArgumentError => e
return false
end

if (uid != target_uid) || (gid != target_gid)
# Change process ownership
Process.initgroups(user, target_gid)
Process::GID.change_privilege(target_gid)
Process::UID.change_privilege(target_uid)
end
true
rescue Errno::EPERM => e
false
end


Cheers-

Ezra Zygmuntowicz
(e-mail address removed)
 
J

James Gray

Does something like this not work for you?

def _change_privilege(user, group=user)
uid, gid = Process.euid, Process.egid

begin
target_uid = Etc.getpwnam(user).uid
rescue ArgumentError => e
return false
end

begin
target_gid = Etc.getgrnam(group).gid
rescue ArgumentError => e
return false
end

if (uid != target_uid) || (gid != target_gid)
# Change process ownership
Process.initgroups(user, target_gid)
Process::GID.change_privilege(target_gid)
Process::UID.change_privilege(target_uid)
end
true
rescue Errno::EPERM => e
false
end

This worked. Thanks so much Ezra.

James Edward Gray II
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top