setuuid/setguuid

Joshua Root jmr at macports.org
Tue Dec 23 13:52:44 PST 2014


On 2014-12-24 08:15 , Ian Wadham wrote:
> Hi Clemens,
> 
> On 23/12/2014, at 11:33 PM, Clemens Lang wrote:
>> ----- On 23 Dec, 2014, at 13:02, René J.V. Bertin rjvbertin at gmail.com wrote:
>>> IIRC, OS X no longer allows setuuid/setguuid, or only under some conditions.
>>> Isn't that something that ought to be addressed in the post-destroot?
>>> I'd vote for removing the offending flags if they cannot have their intended
>>> effect anyway.
>>
>> That's the first time I hear of that. Unless you have a source you can quote on
>> that I'm not going to believe you, especially since my SUID (not setuuid, that's
>> not a thing) binaries still work as I expect them to.
> 
> Is this topic anything to do with the following Apple OS X message?
> "The application with bundle ID (null) is running setugid(), which is not allowed."
> Google on "Apple setugid".  That message has been giving people trouble for
> a couple of years at least.  "setugid()" is Apple's shorthand for (regexp) "set[ug]id()".
> 
> I used to get the message from Dr Konqi (KDE's crash analyser), till I bypassed
> the offending code by stopping KCrash from trying to run Dr Konqi via kdeinit4.
> 
> The source for main.cpp of Dr Konqi currently reads:
> 
> -------------------------------------
> int main(int argc, char* argv[])
> {
> #ifndef Q_OS_WIN //krazy:exclude=cpp
> // TODO - Investigate and fix this, or work around it as follows...
> // #if !defined(Q_OS_WIN) && !defined(Q_OS_MAC)
> // When starting Dr Konqi via kdeinit4, Apple OS X aborts us unconditionally for
> // using setgid/setuid, even if the privs were those of the logged-in user.
> // Drop privs.
>     setgid(getgid());
>     if (setuid(getuid()) < 0 && geteuid() != getuid()) {
>         exit(255);
>     }
> #endif
> -------------------------------------
> 
> The notes are to remind me to investigate this problem further if I ever get
> kdeinit4 (or kdeinit5) to work properly on Apple OS X and MacPorts.

Does this code run as root? If not, setgid and setuid will not work. You
might try wrapping the whole thing in a getuid() == 0 check.

Also, the "setgid(getgid());" seems a bit suspect. I can only assume
it's there to reset the egid by side effect? An explicit setegid would
be a lot more clear in that case.

- Josh


More information about the macports-dev mailing list