Daemon IDs and groups aka setuid setgid vs $< $> $( $)

furrypop has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I am struggling to get a daemon's child processes to be created under an appropriate group ID.

setuid and setgid only seem to affect the real ID/group, not the effective one.

Assigning to the special variables $<, $>, $( and $) works for the ID, but not the group.

I think it clearest if I give an example script.

#!/usr/bin/perl -w
use strict;
use POSIX qw(setgid setsid setuid);

my $i;
my $pid;
my @user;
my $dmon_id="furrypop";
my $outfile="/export/home/furrypop/daemon.out";

&write_log("Start");

chdir '/' or die "Can't chdir to /: $!";
open STDIN, '/dev/null' or die "Can't read /dev/null: $!";
open STDOUT, '>/dev/null' or die "Can't write to /dev/null: $!";
defined($pid = fork) or die "Can't fork: $!";
if ($pid) {
    # parent-only processing follows...
    &write_log("Parent");
    sleep 10;
}
else {
    # child-only processing follows...
    # switch the ID under which the child is running
    setsid  or die "Can't start a new session: $!";
    @user=getpwnam($dmon_id);
    if (@user) {
#        setuid $user[2] or die "Cannot switch ID to $dmon_id: $!";
#        setgid $user[3] or die "Cannot switch group for $dmon_id: $!"
+;
        $< = $user[2];
        $> = $user[2];
        $( = $user[3];
        $) = $user[3];
    }
    else {
        die "Invalid user ID ($dmon_id)";
    }

    &write_log("Child");
    sleep 10;
}


sub write_log {
    open(OUTFILE, ">>$outfile") or die "Cannot open file $outfile : $!
+";
    print OUTFILE "$_[0] pid $$\n  user real $< effective $>\n  group 
+real $( effective $)\n";
    close OUTFILE;
}
[download]

Both the setuid/setgid and the assignation-to-special-variables code is shown above, the former commented out.

There's also a sleep in there in order to give one time to check the processes with ps.

With:-

$< = $user[2];
$> = $user[2];
$( = $user[3];
$) = $user[3];
[download]

The processes are:-

    root 15569  8068  0 16:06:31 pts/12   0:00 /usr/bin/perl -w daemon
+_gid_test.pl
furrypop 15570 15569  0 16:06:31 ?        0:00 /usr/bin/perl -w daemon
+_gid_test.pl
[download]

The output file contains:-

Start pid 15569
  user real 0 effective 0
  group real 1 12 9 8 7 6 5 4 3 2 0 1 effective 1 12 9 8 7 6 5 4 3 2 0
+ 1
Parent pid 15569
  user real 0 effective 0
  group real 1 12 9 8 7 6 5 4 3 2 0 1 effective 1 12 9 8 7 6 5 4 3 2 0
+ 1
Child pid 15570
  user real 514 effective 514
  group real 1 12 9 8 7 6 5 4 3 2 0 1 effective 1 12 9 8 7 6 5 4 3 2 0
+ 1
[download]

With:-

setuid $user[2] or die "Cannot switch ID to $dmon_id: $!";
setgid $user[3] or die "Cannot switch group for $dmon_id: $!";
[download]

The processes are:-

    root 15588  8068  0 16:08:50 pts/12   0:00 /usr/bin/perl -w daemon
+_gid_test.pl
    root 15589 15588  0 16:08:50 ?        0:00 /usr/bin/perl -w daemon
+_gid_test.pl
[download]

The output file contains:-

Start pid 15588
  user real 0 effective 0
  group real 1 12 9 8 7 6 5 4 3 2 0 1 effective 1 12 9 8 7 6 5 4 3 2 0
+ 1
Parent pid 15588
  user real 0 effective 0
  group real 1 12 9 8 7 6 5 4 3 2 0 1 effective 1 12 9 8 7 6 5 4 3 2 0
+ 1
Child pid 15589
  user real 514 effective 0
  group real 350 12 9 8 7 6 5 4 3 2 0 1 effective 1 12 9 8 7 6 5 4 3 2
+ 0 1
[download]

Thanks for any help.

Comment on Daemon IDs and groups aka setuid setgid vs $< $> $( $) Select or Download Code

Replies are listed 'Best First'.
Re: Daemon IDs and groups aka setuid setgid vs $< $> $( $) by dave_the_m (Monsignor) on May 18, 2005 at 16:53 UTC
I haven't looked closely at your code, but are you aware that it is usually necessary to change GID before UID? Once you've changed UID, you no longer have appropriate permissions to change GID. I should imagine that similar restrictions apply to effective vs real, but I can't remember off the top of my head. Dave.	[reply]
Re^2: Daemon IDs and groups aka setuid setgid vs $< $> $( $) by furrypop (Novice) on May 19, 2005 at 08:01 UTC
Dave, Many thanks for the reply. No, I wasn't aware about the necessity to change group before ID. That's fixed it. I still note, however, that `setuid` and `setgid` do not affect the effective ID. This is despite what the documentation says (just over halfway down). I've adjusted the script to only send `setgid` a single number as opposed to a space-separated list, but there's still no effect to the effective. I'm certain it's down to my understanding. I would rather use the POSIX calls than the special variables, so if anyone has any more comments, I'd welcome them. J.	[reply] [d/l] [select]