1

I was wondering if it was possible for a process in Linux (assuming it had root access) to change another process's UID including the RUID, SUID, and EUID, and if so, if there was a specific implementation I could do (whether that be in C++ or in a bash script, e.t.c). I'm mainly trying to stop certain recurrent processes from executing with root privileges immediately upon spawn, which they seem to upon spawning.

Thanks! My apologies if the question is unclear. If it is, I can clarify any details.

Justin Tjoa
  • 47
  • 1
  • 6

1 Answers1

3

No, it is not possible for one process to change another process's UID. That would be a huge security problem if so. If you're in process A, you don't know what state process B is in, and you don't know if elevating privileges is safe at that point. Similarly, you could cause a privileged process to hog shared resources and deadlock other processes if you forced it to drop privileges unexpectedly, since it might fail in the middle of a critical section.

Even if you could somehow work around this, you'll still run into a race condition that your spawned process could execute any amount of code (how much, you don't know) as root before you can force it to drop privileges.

You should figure out what's spawning your processes and adjust it to either not spawn them as root or prevent it from spawning them at all.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • Thanks so much bk2204, this was a very good answer. I had a question though, I just wanted to clarify the part on deadlocking other privileges as I don't understand how dropping privileges unexpectedly causes that. Do you think you could elaborate a bit on this? Thanks! – Justin Tjoa Jul 22 '20 at 06:18
  • Also, my apologies if this is a lot to ask, but do you have any idea of how once I know what process is spawning this process, on what to do to that process to make it stop spawning as root? Thanks! – Justin Tjoa Jul 22 '20 at 16:39
  • 1
    The deadlock could occur if it took a shared lock or resource, then tried and failed to do something that a privileged process could normally do, and then failed to release that resource or retried excessively. How you'd stop it from spawning it as root depends on what's spawning it. For example, systemd has user settings you can use in the unit file. – bk2204 Jul 22 '20 at 22:11