4190 – [Anolis 23 Nightly][aarch64/x86] setuid\setgid 设置权限失败

Bug 4190 - [Anolis 23 Nightly][aarch64/x86] setuid\setgid 设置权限失败

Summary: [Anolis 23 Nightly][aarch64/x86] setuid\setgid 设置权限失败

Status:	RESOLVED INVALID

Alias:	None

Product:	Anolis OS 23
Classification:	Anolis OS
Component:	BaseOS Packages (show other bugs)	BaseOS Packages
Sub Component:
Version:	23.0
Hardware:	All Linux

Importance:	P2-High S2-major
Target Milestone:	---
Assignee:	xuchunmei
QA Contact:	bolong_tbl

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-23 15:49 UTC by yunmeng365524
Modified:	2023-02-24 12:45 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description yunmeng365524 2023-02-23 15:49:09 UTC

Description of problem:
setuid\setgid 设置权限失败

Version-Release number of selected component (if applicable):
[root@iZbp1b3q91t7fog9z072ivZ devel_toolchains]# cat /etc/os-release
NAME="Anolis OS"
VERSION="23"
ID="anolis"
VERSION_ID="23"
PLATFORM_ID="platform:an23"
PRETTY_NAME="Anolis OS 23"
ANSI_COLOR="0;31"
HOME_URL="https://openanolis.cn/"
BUG_REPORT_URL="https://bugzilla.openanolis.cn/"

[root@iZbp1b3q91t7fog9z072ivZ devel_toolchains]# uname -a
Linux iZbp1b3q91t7fog9z072ivZ 5.10.134-12.1.an23.aarch64 #1 SMP Thu Oct 13 11:31:15 CST 2022 aarch64 GNU/Linux

[root@iZbp1b3q91t7fog9z072ivZ libcap-test]# yum info libcap
Last metadata expiration check: 1:06:37 ago on Thu 23 Feb 2023 02:40:06 PM CST.
Installed Packages
Name         : libcap
Version      : 2.67
Release      : 1.an23
Architecture : aarch64
Size         : 1.5 M
Source       : libcap-2.67-1.an23.src.rpm
Repository   : @System
From repo    : build
Summary      : Library for getting and setting POSIX.1e capabilities
URL          : ihttps://sites.google.com/site/fullycapable/
License      : BSD or GPLv2
Description  : libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
             : draft 15 capabilities.

How reproducible:
useradd libcap-user
mkdir -p libcap-test && chmod 777 libcap-test
cat > ./libcap-test/test.c << EOF
#include <unistd.h>
#include <stdio.h>

int main()
{
    if (getuid() == 0 || getgid() == 0) {
        printf("uid or gid is 0\\n");
        return -1;
    }
    printf("old_uid:%d\\nold_gid:%d\\n", getuid(), getgid());
    if (setuid(0)) {
        printf("insufficient privilege to setuid.\\n");
    }
    if (setgid(0)) {
        printf("insufficient privilege to setgid.\\n");
    }
    printf("new_uid:%d\\nnew_gid:%d\\n", getuid(), getgid());
    return 0;
}
EOF
gcc ./libcap-test/test.c -o ./libcap-test/test

chown libcap-user:libcap-user ./libcap-test/test

cd libcap-test && su libcap-user -c './test'

Steps to Reproduce:
如上

Actual results:
old_uid:1000
old_gid:1001
insufficient privilege to setuid.
insufficient privilege to setgid.
new_uid:1000
new_gid:1001

Expected results:
old_uid:1000
old_gid:1001
new_uid:0
new_gid:0

Additional info:
对比an8:
[root@iZbp1e3pj4ubukt0jp7zyzZ libcap-test]# su libcap-user -c ./test
old_uid:1000
old_gid:1001
new_uid:0
new_gid:0
[root@iZbp1e3pj4ubukt0jp7zyzZ libcap-test]# yum info libcap
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 2:02:08 ago on Thu Feb 23 13:44:39 2023.
Installed Packages
Name         : libcap
Version      : 2.48
Release      : 4.an8
Architecture : aarch64
Size         : 502 k
Source       : libcap-2.48-4.an8.src.rpm
Repository   : @System
From repo    : BaseOS
Summary      : Library for getting and setting POSIX.1e capabilities
URL          : https://sites.google.com/site/fullycapable/
License      : BSD or GPLv2
Description  : libcap is a library for getting and setting POSIX.1e (formerly POSIX 6)
             : draft 15 capabilities.

Comment 1 xuchunmei alibaba_cloud_group

2023-02-23 16:25:20 UTC

修改测试程序如下：
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>

int main()
{
    if (getuid() == 0 || getgid() == 0) {
        printf("uid or gid is 0\n");
        return -1;
    }
    printf("old_uid:%d\nold_gid:%d\n", getuid(), getgid());
    if (setuid(0)) {
        printf("insufficient privilege to setuid,error=%s.\n", strerror(errno));
    }
    if (setgid(0)) {
        printf("insufficient privilege to setgid, errno=%s.\n", strerror(errno));
    }
    printf("new_uid:%d\nnew_gid:%d\n", getuid(), getgid());
    return 0;
}

提示信息：
# su cap_test -c ./test
old_uid:1001
old_gid:1001
insufficient privilege to setuid,error=Operation not permitted.
insufficient privilege to setgid, errno=Operation not permitted.
new_uid:1001
new_gid:1001

执行无权限，使用普通用户试图去setuid与setgid为root用户，提示无权限这是预期行为。

通过设置cap来提升capability后：
# setcap cap_setuid,cap_setgid=ep ./test
# su cap_test -c ./test
old_uid:1000
old_gid:1000
new_uid:0
new_gid:0

执行成功。

Comment 2 yunmeng365524 2023-02-23 17:17:18 UTC

setcap 后一样有问题。
[root@iZbp1b3q91t7fog9z072ivZ libcap]# setcap cap_setuid,cap_setgid=ep ./libcap-test/test
[root@iZbp1b3q91t7fog9z072ivZ libcap]# ll
total 4
drwxrwxrwx. 2 root root   80 Feb 23 15:12 libcap-test
drwxr-xr-x. 2 root root   60 Feb 23 15:12 __pycache__
-rw-r--r--. 1 root root 2623 Feb 23 15:12 tc_libcap_fun_001.py
[root@iZbp1b3q91t7fog9z072ivZ libcap]# getcap ./libcap-test/test
./libcap-test/test cap_setgid,cap_setuid=ep
[root@iZbp1b3q91t7fog9z072ivZ libcap]# cd libcap-test && su libcap-user -c './test'
old_uid:1000
old_gid:1001
insufficient privilege to setuid.
insufficient privilege to setgid.
new_uid:1000
new_gid:1001

Comment 3 xuchunmei alibaba_cloud_group

2023-02-23 17:34:26 UTC

需要保证libcap-user执行权限，比如test放到/home/libcap-user目录下执行就是ok的。
# pwd
/home/libcap-user

# su libcap-user -c ./test
old_uid:1000
old_gid:1001
new_uid:0
new_gid:0

Comment 4 xuchunmei alibaba_cloud_group

2023-02-24 12:45:10 UTC

补充问题原因，测试用例运行目录为/tmp目录，/tmp目录权限为：
drwxrwxrwt.  11 root root  220 Feb 24 12:44 tmp

t权限导致capabilities失效。

更改到非t权限的目录执行正常。