ucred when euid/egid

Anthony Pankov ap00 at mail.ru
Sun Nov 29 10:14:48 UTC 2009 

Thank you for reply.

So, seteuid/gid isn't enough to gain group access as for real uid.
But how i can achieve this? What functions should i call from
'theprog' to gain access for the groups euid user belongs to?

May be i solve the problem in wrong way?

The full problem is:

There is a file owned by group filegroup:
 rw-rw----   someone:filegroup    thefile

There is a programs data owned by group proggroup:

 rw-rw----   someone2:proggroup    progdata

I need a program (theprog) that can access 'thefile' and
'progdata' simultaneously. Program can be executed by anyone.


My idea was to seteuid theprog to user who is memeber of one group
(filegroup) and setegid theprog to another group (proggroup). In that
way i was going to give theprog rights to work with both files.


P.S. I don't want to use file ACLs.

Saturday, November 28, 2009, 9:28:03 PM, you wrote:

>>
>> Hello,
>> 
>> I face some misunderstood situation related to the access permissions.
>> 
>> 
>> There is a program(script) with the suid/sgid (mode 6555):
>> 
>> r-sr-sr-x   fuser:proggroup  theprog
>> 
>> There is a file:
>> rw-rw----   someone:filegroup    thefile
>> 
>> 
>> User 'fuser' (==program euid) have primary group 'filegroup'(==group,
>> who can read/write thefile).
>> 
>> Program try to read(write) thefile and fail with permissions.
>> 
>> I don't fully understand why.

CR>   There is no bug; when you use the suid/sgid facility, the program
CR> gains the effective user ID and/or the effective GID of the executable. 
CR> It does *not* gain any gids which the effective user is added to at
CR> login.

CR>   man seteuid for more info.

CR>   In what you have shown, theprog has neither the same user (fuser vs.
CR> someone) nor the same group (proggroup vs. filegroup) as the file you
CR> want it to modify.

CR>   For what you want to do to work correctly, you would need to either
CR> make theprog's ownership be:

CR>     anyuser:filegroup
CR> or 
CR>     fuser:proggroup

CR>   -- Clifton




-- 
Best regards,
 Anthony                            mailto:ap00 at mail.ru

More information about the freebsd-hackers mailing list