From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.7.3) Gecko/20041002 Firefox/0.10.1 Description of problem: A call to setuid(), setreuid(), setgid(), or setregid() for a multi-thread process using NPTL changes only the id of the calling thread. This violates POSIX thread semantics. The following trivial program illustrates the problem: #include <pthread.h> #include <stdio.h> #include <stdlib.h> void *thread_start( void *x ) { fprintf( stdout, "in thread_start\n" ); sleep( 2 ); fprintf( stdout, "thread_start(): getuid=%d\n", getuid() ); pause(); } int main( int argc, char **argv ) { int x; pthread_t tid; x = pthread_create( &tid, NULL, &thread_start, NULL ); fprintf( stdout, "x=%d, tid = %d\n", x, tid ); fprintf( stdout, "before setreuid(): getuid=%d\n", getuid() ); setreuid( 500, 500 ); fprintf( stdout, "after setreuid(): getuid=%d\n", getuid() ); pause(); } Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Compile the above program; e.g., "cc -o x x.c -phtread" 2. Run as root Actual Results: x=0, tid = 1082128736 before setreuid(): getuid=0 after setreuid(): getuid=500 in thread_start thread_start(): getuid=0 Expected Results: x=0, tid = 1082128736 before setreuid(): getuid=0 after setreuid(): getuid=500 in thread_start thread_start(): getuid=500 Additional info:
this problem is a known property of the upstream kernel and cannot be fixed in any simple way without first getting broad upstream acceptance. Doing per-process suid is a complex and invasive change that has been rejected upstream.