From Bugzilla Helper: User-Agent: Mozilla/4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) Description of problem: Files that are normally accessable via the "other" permission bits are no longer accessable to applications that switch from superuser to a specific user id via the setuid, seteuid, and setreuid function calls. How reproducible: Always Steps to Reproduce: 1. Write a c program that looks like this: (modify the uid/gid ids to that of a valid non-privileged user) #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <fcntl.h> #include <unistd.h> int main(int argc, char **argv) { int fd = 0; setgid(501); setuid(100); if (argc < 2) return EXIT_FAILURE; if ((fd = open(argv[1], O_RDWR)) == -1) printf("Error: %d: %s\n", errno, strerror(errno)); else close(fd); sleep(10); // to verify with ps that the process id has switched. return EXIT_SUCCESS; } 2. touch a file (as root) (# touch afile) 3. chmod 006 afile 4. run the program as root (# openTest afile) 5. verify process is owned by the user id specified with ps -ef 6. program outputs an error message indicating permission has been denied. Actual Results: File cannot be opened by the program, EACCES error is in errno. Expected Results: File should be opened via the "other" permissions. Program works fine if you comment out the setuid/setgid functions and run program as root or the non-privileged user. Additional info: No apparent work around.
This has nothing to do with glibc, the relevant function calls are stright system calls. So I'll let kernel folks to explain this.
Which kernel is this exactly ?
"Other" permission bits are irrelevant if GID of file is one of your supplementary groups. setgid(2) doesn't alter them.
man setgroups gives info on how to manipulate this.
I've made the following modifications to my test program: insert these two lines before the setgid() call, (which probably isn't necessary anymore.): const gid_t groupList[] = {501}; setgroups((sizeof(groupList) / sizeof(gid_t)), &groupList); And now the program can access the file via the other bits, as a result of losing group 0. BTW, it is kernel 2.2.14. Thanks.
Opps there was a bug in my code: add this line: #include <grp.h> and change the segroups() line to this: setgroups((sizeof(groupList)/sizeof(gid_t)), groupList);