The setgroups(2) system call does not update the credentials for all threads in a process. Instead, it only updates the credentials for the currently executing thread. Any threads that were created before setgroups() was called are not affected. This is not the expected behavior according to the manpage, which states: "setgroups() sets the supplementary group IDs for the calling process." See below for a small test case that demonstrates the problem. This program runs successfully on FreeBSD 8 and Solaris 10, but fails on Linux 2.6.32. /* * Copyright (c) 2010 Mark Heily <mark@heily.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* Test if setgroups() has process or thread scope. Example usage: gcc -Wall check_setgroups.c -lpthread && sudo ./a.out */ #include <err.h> #include <errno.h> #include <grp.h> #include <pthread.h> #include <sys/types.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> pthread_mutex_t mtx = PTHREAD_MUTEX_INITIALIZER; void print_cred(void); void drop_privs(void); void drop_privs(void) { gid_t gid = 1; if (setgid(1) != 0) err(1, "setgid"); if (setgroups(1, &gid) != 0) err(1, "setgroups"); if (setuid(1) != 0) err(1, "setuid"); printf("dropped privileges: "); print_cred(); } void cmp_privs(uid_t uid, gid_t gid, gid_t groups) { gid_t buf; if (getgid() != gid) errx(1, "wrong gid"); if (getuid() != uid) errx(1, "wrong uid"); if (getgroups(1, &buf) != 1) err(1, "getgroups"); if (buf != groups) errx(1, "ERROR: getgroups() returned %d but expected %d\n", buf, groups); } void print_cred(void) { gid_t groups[100]; int i, ngroups; ngroups = getgroups(100, groups); if (ngroups < 0) err(1, "getgroups"); printf("uid=%d gid=%d groups=", getuid(), getgid()); for (i = 0; i <ngroups; i++) { printf("%d ", groups[i]); } printf("\n"); } void * thread_main(void *unused) { pthread_mutex_lock(&mtx); cmp_privs(1,1,1); return (NULL); } int main() { pthread_t tid; pthread_attr_t attr; if (getuid() != 0) errx(1, "ERROR: this must be run as root"); pthread_mutex_lock(&mtx); pthread_attr_init(&attr); pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE); pthread_create(&tid, &attr, thread_main, NULL); drop_privs(); cmp_privs(1,1,1); pthread_mutex_unlock(&mtx); pthread_join(tid, NULL); puts("+OK"); exit(0); }
The setuid() and setgid() system calls also don't propagate changes across threads. Running the above program with "strace -f" shows that glibc/libpthread is doing that, however. If seems to involve SIGRT_1 being passed to the other threads. I wonder if this should be handled in the glibc/libpthread projects. The problem with changing this behaviour is that it might break other things. Do you know if anything relies on being able to change groups membership on a per-thread basis? A userspace NFS daemon perhaps?
I don't know of anything that relies on non-portable behavior wrt setgroups(). This bug was already reported to glibc here: http://sources.redhat.com/bugzilla/show_bug.cgi?id=10563 I created a patch and attached it to the glibc bug report.