Super User Can't Change UID?

James_Edward_Gray_II · 27 January 2009 23:11

Why would the super user not be able to switch UID's?

   $ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
   Password:
   -e:1:in `uid=': Operation not permitted (Errno::EPERM)
     from -e:1

Tips of TFM I should go R are welcome.

James Edward Gray II

Michel_Boaventura · 27 January 2009 23:21

This works on my gentoo without any problem. Try to became root and
try to run to see if it's another problem.

···

2009/1/27 James Gray <james@grayproductions.net>:

Why would the super user not be able to switch UID's?

$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

Tips of TFM I should go R are welcome.

James Edward Gray II

James_Edward_Gray_II · 28 January 2009 00:41

Another data point on this odd issue: Apple's bundled Ruby (I'm on OS X) works:

   $ sudo /usr/bin/ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
   Password:
   $

It's just the Ruby I built that fails. How could I have messed this up in the build?

James Edward Gray II

···

On Jan 27, 2009, at 5:11 PM, James Gray wrote:

Why would the super user not be able to switch UID's?

$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

Daniel_Berger2 · 28 January 2009 05:18

James Gray wrote:

Why would the super user not be able to switch UID's?

  $ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
  Password:
  -e:1:in `uid=': Operation not permitted (Errno::EPERM)
      from -e:1

Tips of TFM I should go R are welcome.

I seem to recall that setreuid() is busted on OS X, 10.4.x anyway. I think it's fixed in 10.5, but I can't confirm.

I know this has come up before. Check the the ruby-core archives.

Regards,

Dan

James_Edward_Gray_II · 27 January 2009 23:26

It doesn't seem to work for me that way either:

$ sudo sh
Password:
sh-3.2# ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

James Edward Gray II

···

On Jan 27, 2009, at 5:21 PM, Michel Boaventura wrote:

This works on my gentoo without any problem. Try to became root and
try to run to see if it's another problem.

Daniel_Berger2 · 28 January 2009 14:01

James Gray wrote:

Why would the super user not be able to switch UID's?

$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
     from -e:1

Another data point on this odd issue: Apple's bundled Ruby (I'm on OS X) works:

  $ sudo /usr/bin/ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
  Password:
  $

It's just the Ruby I built that fails. How could I have messed this up in the build?

Are you on 10.4.x?

If I had to guess, I'd bet Apple replaced setreuid() with seteuid(), but that's a guess.

I've never really understood the way OS X manages users. My own account is not in /etc/passwd, but shows up in NetInfo.

Regards,

Dan

···

On Jan 27, 2009, at 5:11 PM, James Gray wrote:

James_Edward_Gray_II · 28 January 2009 16:24

James Gray wrote:

Why would the super user not be able to switch UID's?
$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1
Tips of TFM I should go R are welcome.

I seem to recall that setreuid() is busted on OS X, 10.4.x anyway. I think it's fixed in 10.5, but I can't confirm.

I'm on Mac OS X 10.5.6.

I know this has come up before. Check the the ruby-core archives.

I did a few searches, but didn't find a match. I did find old posts about how Process.uid= can't handle negative UID's which is another issue I'm fighting, but nothing about this issue.

If I had to guess, I'd bet Apple replaced setreuid() with seteuid(), but that's a guess.

If that were the case, would it maybe be possible to switch users using Apple's alternate API?

Unfortunately, this issue is a big snag that's preventing us from shipping an application, so I've got to find some workaround. I've considered trying to exec() my program adding su/sudo to switch the user as a possible option. Would that work? I need to switch both the user and group.

James Edward Gray II

···

On Jan 27, 2009, at 11:18 PM, Daniel Berger wrote:
On Jan 28, 2009, at 8:01 AM, Daniel Berger wrote:

Rob_Biedenharn1 · 28 January 2009 00:45

It works for me on Ubuntu and Mac OS X also.

-Rob

Rob Biedenharn http://agileconsultingllc.com
Rob@AgileConsultingLLC.com

···

On Jan 27, 2009, at 6:26 PM, James Gray wrote:

On Jan 27, 2009, at 5:21 PM, Michel Boaventura wrote:

This works on my gentoo without any problem. Try to became root and
try to run to see if it's another problem.

It doesn't seem to work for me that way either:

$ sudo sh
Password:
sh-3.2# ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1

James Edward Gray II

Ezra_Zygmuntowicz · 28 January 2009 17:14

Does something like this not work for you?

def _change_privilege(user, group=user)
uid, gid = Process.euid, Process.egid

   begin
     target_uid = Etc.getpwnam(user).uid
   rescue ArgumentError => e
     return false
   end

   begin
     target_gid = Etc.getgrnam(group).gid
   rescue ArgumentError => e
     return false
   end

   if (uid != target_uid) || (gid != target_gid)
     # Change process ownership
     Process.initgroups(user, target_gid)
     Process::GID.change_privilege(target_gid)
     Process::UID.change_privilege(target_uid)
   end
   true
rescue Errno::EPERM => e
   false
end

Cheers-

Ezra Zygmuntowicz
ez@engineyard.com

···

On Jan 28, 2009, at 8:24 AM, James Gray wrote:

On Jan 27, 2009, at 11:18 PM, Daniel Berger wrote:

James Gray wrote:

Why would the super user not be able to switch UID's?
$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
from -e:1
Tips of TFM I should go R are welcome.

I seem to recall that setreuid() is busted on OS X, 10.4.x anyway. I think it's fixed in 10.5, but I can't confirm.

I'm on Mac OS X 10.5.6.

I know this has come up before. Check the the ruby-core archives.

I did a few searches, but didn't find a match. I did find old posts about how Process.uid= can't handle negative UID's which is another issue I'm fighting, but nothing about this issue.

On Jan 28, 2009, at 8:01 AM, Daniel Berger wrote:

If I had to guess, I'd bet Apple replaced setreuid() with seteuid(), but that's a guess.

If that were the case, would it maybe be possible to switch users using Apple's alternate API?

Unfortunately, this issue is a big snag that's preventing us from shipping an application, so I've got to find some workaround. I've considered trying to exec() my program adding su/sudo to switch the user as a possible option. Would that work? I need to switch both the user and group.

James Edward Gray II

James_Edward_Gray_II · 28 January 2009 02:34

Were you using Apple's bundled Ruby or something you compiled?

James Edward Gray II

···

On Jan 27, 2009, at 6:45 PM, Rob Biedenharn wrote:

It works for me on Ubuntu and Mac OS X also.

James_Edward_Gray_II · 28 January 2009 19:06

This worked. Thanks so much Ezra.

James Edward Gray II

···

On Jan 28, 2009, at 11:14 AM, Ezra Zygmuntowicz wrote:

On Jan 28, 2009, at 8:24 AM, James Gray wrote:

On Jan 27, 2009, at 11:18 PM, Daniel Berger wrote:

James Gray wrote:

Why would the super user not be able to switch UID's?
$ sudo ruby -r etc -e 'Process.uid = Etc.getpwnam("james").uid'
Password:
-e:1:in `uid=': Operation not permitted (Errno::EPERM)
   from -e:1
Tips of TFM I should go R are welcome.

I seem to recall that setreuid() is busted on OS X, 10.4.x anyway. I think it's fixed in 10.5, but I can't confirm.

I'm on Mac OS X 10.5.6.

I know this has come up before. Check the the ruby-core archives.

I did a few searches, but didn't find a match. I did find old posts about how Process.uid= can't handle negative UID's which is another issue I'm fighting, but nothing about this issue.

On Jan 28, 2009, at 8:01 AM, Daniel Berger wrote:

If I had to guess, I'd bet Apple replaced setreuid() with seteuid(), but that's a guess.

If that were the case, would it maybe be possible to switch users using Apple's alternate API?

Unfortunately, this issue is a big snag that's preventing us from shipping an application, so I've got to find some workaround. I've considered trying to exec() my program adding su/sudo to switch the user as a possible option. Would that work? I need to switch both the user and group.

James Edward Gray II

  Does something like this not work for you?

def _change_privilege(user, group=user)
uid, gid = Process.euid, Process.egid

begin
   target_uid = Etc.getpwnam(user).uid
rescue ArgumentError => e
   return false
end

begin
   target_gid = Etc.getgrnam(group).gid
rescue ArgumentError => e
   return false
end

if (uid != target_uid) || (gid != target_gid)
   # Change process ownership
   Process.initgroups(user, target_gid)
   Process::GID.change_privilege(target_gid)
   Process::UID.change_privilege(target_uid)
end
true
rescue Errno::EPERM => e
false
end

Rob_Biedenharn1 · 28 January 2009 03:00

Apple's /usr/bin/ruby. (I'd answered before I saw your clarification.) I also just ran it fine with macruby.

$ sudo macruby -r etc -e 'puts Process.pid,Process.uid; sleep 2;puts "now"; Process.uid = Etc.getpwnam("rab").uid; puts Process.uid; sleep 2'
Password:
26951
0
now
501

I don't suppose that really helps you much.

-Rob

Rob Biedenharn http://agileconsultingllc.com
Rob@AgileConsultingLLC.com

···

On Jan 27, 2009, at 9:34 PM, James Gray wrote:

On Jan 27, 2009, at 6:45 PM, Rob Biedenharn wrote:

It works for me on Ubuntu and Mac OS X also.

Were you using Apple's bundled Ruby or something you compiled?

James Edward Gray II

James_Edward_Gray_II · 28 January 2009 03:06

It also seems to work in my locally compiled 1.9:

   $ sudo ruby_dev -r etc -ve 'Process.uid = Etc.getpwnam("james").uid'
   Password:
   ruby 1.9.1 (2008-12-30 patchlevel-0 revision 21203) [i386-darwin9.6.0]

James Edward Gray II

···

On Jan 27, 2009, at 9:00 PM, Rob Biedenharn wrote:

On Jan 27, 2009, at 9:34 PM, James Gray wrote:

On Jan 27, 2009, at 6:45 PM, Rob Biedenharn wrote:

It works for me on Ubuntu and Mac OS X also.

Were you using Apple's bundled Ruby or something you compiled?

James Edward Gray II

Apple's /usr/bin/ruby. (I'd answered before I saw your clarification.) I also just ran it fine with macruby.

Ezra_Zygmuntowicz · 28 January 2009 04:16

It fails for me on my self compiled ruby 1.8.6 on osx but the built in ruby and my gentoo ruby works fine. No clue why.

-Ezra

···

On Jan 27, 2009, at 7:06 PM, James Gray wrote:

On Jan 27, 2009, at 9:00 PM, Rob Biedenharn wrote:

On Jan 27, 2009, at 9:34 PM, James Gray wrote:

On Jan 27, 2009, at 6:45 PM, Rob Biedenharn wrote:

It works for me on Ubuntu and Mac OS X also.

Were you using Apple's bundled Ruby or something you compiled?

James Edward Gray II

Apple's /usr/bin/ruby. (I'd answered before I saw your clarification.) I also just ran it fine with macruby.

It also seems to work in my locally compiled 1.9:

$ sudo ruby_dev -r etc -ve 'Process.uid = Etc.getpwnam("james").uid'
Password:
ruby 1.9.1 (2008-12-30 patchlevel-0 revision 21203) [i386-darwin9.6.0]

James Edward Gray II

Topic		Replies	Views
Changing uid ruby-talk	3	78	18 October 2006
Large uid's with Etc.getpwnam ruby-talk	3	122	26 June 2006
Impersonating ruby ruby-talk	4	70	6 February 2004
Changing Process#uid while staying with $SAFE=0 ruby-talk	2	107	21 July 2005
How to make a ruby program tu run unser other user:group different than root ruby-talk	11	121	14 December 2009

Super User Can't Change UID?

Related topics