Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setresuid / Setresgid Strange behaveour or not working as expected. #41668

Closed
ilesik opened this issue Sep 28, 2020 · 2 comments
Closed

Setresuid / Setresgid Strange behaveour or not working as expected. #41668

ilesik opened this issue Sep 28, 2020 · 2 comments
Labels
FrozenDueToAge

Comments

@ilesik
Copy link

ilesik commented Sep 28, 2020

What version of Go are you using (go version)?

$ go version
go version go1.13.3 linux/amd64

Does this issue reproduce with the latest release?

not checked

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/ilesik/.cache/go-build"
GOENV="/home/ilesik/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/ilesik/enswitch/"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/ilesik/src/enswitch/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build292877042=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Gere is code example:

makeconnection := true
if makeconnection {
	db, err := sql.Open("mysql", "user:pwd@tcp(127.0.0.1:3306)/db?charset=utf8")
	if err == nil {
	        fmt.Println("connect ok")
	} else {
	        fmt.Println("connect err")
	}
	rows, _ := db.Query("select UTC_TIMESTAMP() as c")

	for rows.Next() {
	        var (
	                name string
	        )
	        if err := rows.Scan(&name); err != nil {
	                fmt.Println(err)
	        }
	        fmt.Println("result %s\n", name)
	}

	db.Close()
	db.SetMaxIdleConns(0)
	db.SetMaxOpenConns(0)
	db = nil
}

syscall.Setsid()
    os.Chdir("/")
    syscall.Umask(0002)
    
    gid := 992
    err = syscall.Setresgid(gid, gid, gid)
    log.Info("Setresgid " + strconv.Itoa(gid) + ", real : " + strconv.Itoa(syscall.Getgid()))

uid := 994
err = syscall.Setresuid(uid, uid, uid)
    log.Info("Setresuid " + strconv.Itoa(uid) + ", real : " + strconv.Itoa(syscall.Geteuid()))

//run "ps aux" and cat /proc/<pid>/status here and check user real effective user id

time.Sleep(100 * time.Minute)

What did you expect to see?

If I run this program as root with "makeconnection := false" I will always see it successfully dropped privileges to user (994) and group (992).

ps aux | grep test
enswitch 3316 0.1 0.1 415884 6100 pts/12 Sl+ 22:44 0:00 ./bin/test

and

cat /proc//status
Uid: 994 994 994 994
Gid: 992 992 992 992

But if I run it with makeconnection := true
I will see privileges drop for 50% of runs...

sometimes it still root and
cat /proc//status
Uid: 0 0 0 0
Gid: 0 0 0 0

and sometimes its working fine!!
It does not matter if db connection was successful or not.
More of that : it ALWAYS outputs like it sets rights ok:

Setresgid 992, real : 992
Setresuid 994, real : 994

What did you see instead?
@davecheney
Copy link
Contributor

The reason for this is a limitation of the linux kernel. See #1435

@ianlancetaylor
Copy link
Contributor

Closing as dup of #1435.

@golang golang locked and limited conversation to collaborators Sep 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davecheney @ianlancetaylor @gopherbot @ilesik