<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi,</p>
<p><br>
</p>
<p>Let me explain my requirement to begin with.</p>
<p>I have an application that needs CAP_NET_ADMIN to use setsockopt on a netlink socket. For this I thought of starting as root, and then dropping to user 1000 after claiming a subset of essential capabilities.</p>
<p>My Application also needs to be connected to the DBus Session Bus.</p>
<p>The binary is setuid'd as below</p>
<p><br>
</p>
<p></p>
<div>> -rwsr-xr-x 1 root root 2467914 May 18 19:12 my-binary</div>
<div><br>
</div>
<div>So the process starts with root priviledges, acquires the necessary priviledges required and then does a setuid to user 1000.</div>
<div>After that, a DBus connection is attempted and it fails.</div>
<div><br>
</div>
<div>// Function to acquire priviledges and drop everything to user 1000</div>
<div>
<div>void <span style="font-family: Calibri, Arial, Helvetica, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', NotoColorEmoji, 'Segoe UI Symbol', 'Android Emoji', EmojiSymbols; font-size: 16px;">
kservicebase</span>::setPermissions()</div>
<div>{</div>
<div><span class="Apple-tab-span" style="font-size: 12pt; white-space: pre;"></span><span style="font-size: 12pt;">cap_t cap_cur_p;</span><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_t cap_p;</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_flag_value_t cap_ok;</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_value_t cap_admin = CAP_NET_ADMIN;</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_cur_p = cap_get_proc();</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>if (!cap_cur_p) {</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>perror("netlinksocket: cap_get_proc");</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>exit(-1);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>}</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_p = cap_init();</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>if (!cap_p) {</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>perror("netlinksocket: cap_init");</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>exit(-1);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>}</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("GetUID = %d\n"),geteuid()));</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOGERR((TEXT("Before\n")));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_ok = CAP_CLEAR;</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_get_flag(cap_cur_p, CAP_NET_ADMIN, CAP_PERMITTED, &cap_ok);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("NET_ADMIN = %d\n"),cap_ok));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_ok = CAP_CLEAR;</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_get_flag(cap_cur_p, CAP_NET_RAW, CAP_PERMITTED, &cap_ok);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("NET_RAW = %d\n"),cap_ok));</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_ok = CAP_CLEAR;</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_get_flag(cap_cur_p, CAP_NET_ADMIN, CAP_PERMITTED, &cap_ok);</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>if (cap_ok == CAP_CLEAR)</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_set_flag(cap_p, CAP_PERMITTED, 1, &cap_admin, CAP_SET);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>else</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOGERR((TEXT("ERROR1 %d\n"),cap_ok));</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>if (cap_set_proc(cap_p) < 0) {</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>perror("ping: cap_set_proc");</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>exit(-1);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>}</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("Dropping root\n")));</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("Before GetUID = %d\n"),getuid()));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("Before GetEUID = %d\n"),geteuid()));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("Before GetGID = %d\n"),getgid()));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("Before GetEGID = %d\n"),getegid()));</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="font-size: 12pt; white-space: pre;"></span><span style="font-size: 12pt;">LOG1((TEXT("Dropped root = %d\n"),setuid(getuid())));</span><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("Dropped group= %d\n"),setgid(getgid())));</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("After GetUID = %d\n"),getuid()));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("After GetEUID = %d\n"),geteuid()));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("After GetGID = %d\n"),getgid()));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("After GetEGID = %d\n"),getegid()));</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOGERR((TEXT("After\n")));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_ok = CAP_CLEAR;</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_get_flag(cap_cur_p, CAP_NET_ADMIN, CAP_PERMITTED, &cap_ok);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("NET_ADMIN = %d\n"),cap_ok));</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_ok = CAP_CLEAR;</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>cap_get_flag(cap_cur_p, CAP_NET_RAW, CAP_PERMITTED, &cap_ok);</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>LOG1((TEXT("NET_RAW = %d\n"),cap_ok));</div>
<div>}</div>
<div><br>
</div>
<div>The dbus calls start after the above function is executed. The session bus ID is returned as 0 which is incorrect.</div>
<br>
</div>
<div>// Log output - Important lines marked with *****</div>
<div><br>
</div>
<div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:142|Setting appropriate permissions</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:162|GetUID = 0</div>
<div>22:35:00.639: E| 612| 612|Success|setPermissions@kservicebase.cpp:165|Before</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:168|NET_ADMIN = 1</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:171|NET_RAW = 1</div>
<div>22:35:00.639: E| 612| 612|Success|setPermissions@kservicebase.cpp:179|ERROR1 1</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:194|Dropping root</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:196|Before GetUID = 1000</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:197|Before GetEUID = 0 *****</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:198|Before GetGID = 1000</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:199|Before GetEGID = 1000</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:201|Dropped root = 0</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:202|Dropped group= 0</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:204|After GetUID = 1000</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:205|After GetEUID = 1000<span style="font-family: Calibri, Arial, Helvetica, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', NotoColorEmoji, 'Segoe UI Symbol', 'Android Emoji', EmojiSymbols; font-size: 16px;"> *****</span></div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:206|After GetGID = 1000</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:207|After GetEGID = 1000</div>
<div>22:35:00.639: E| 612| 612|Success|setPermissions@kservicebase.cpp:209|After</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:212|NET_ADMIN = 1</div>
<div>22:35:00.639: 1| 612| 612|- |setPermissions@kservicebase.cpp:215|NET_RAW = 1</div>
<div>unix:abstract=/tmp/dbus-QB8cEiSybh // This is just a <span>system("echo $DBUS_SESSION_BUS_ADDRESS");</span> call to indicate that the bus address is available in the program environment variables. *****</div>
<div>22:35:01.641: 3| 612| 612|- |GetIPCInstance2@ipcfactory.cpp:40|Enter GetIPCInstance</div>
<div>22:35:01.641: 3| 612| 612|- |Connect@dbusipc.cpp:140|Enter</div>
<div>22:35:01.641: M| 612| 612|DBus |Connection ID for Session 0 Bus *****</div>
<div>22:35:01.641:DBus| 612| 612|Success|Connect@dbusipc.cpp:170|Unable to connect to the Session bus for error org.freedesktop.DBus.Error.NotSupported</div>
<div>22:35:01.641:ccf-tests| 612| 612|Success|main@main.cpp:81|Session bus Connection initialization failed</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
I'm unable to figure why I'm unable to connect to the session bus despite dropping to user 1000. Tried with both setuid and seteuid. Makes no difference. Can somebody help?
<div><br>
</div>
<div>P.S - Apologies for shamelessly dumping code and logs here. What are the norms of sharing code in these mailing lists? Any formatting options? Or should I use pastebins?<br>
<p></p>
<p><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<p class="x_MsoNormal" style="color:rgb(0,0,0); margin:0in 0in 0.0001pt; font-size:15.5555562973022px; font-family:'Times New Roman',serif; background-color:rgb(255,255,255)">
<span style="font-size:10pt; font-family:'Segoe UI',sans-serif; color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none">Thanks and Regards,</span></span><span style="font-size:11pt; font-family:Calibri,sans-serif; color:rgb(0,0,0); text-decoration:none"></span></p>
<font face="Segoe UI, sans-serif" style="color:rgb(0,0,0); text-decoration:none"><span style="font-size:14.44444465637207px; color:rgb(0,0,0); text-decoration:none"><b style="color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none">Manish
Narang</span></b></span></font><br style="color:rgb(0,0,0); text-decoration:none">
<p class="x_MsoNormal" style="color:rgb(0,0,0); margin:0in 0in 0.0001pt; font-size:15.5555562973022px; font-family:'Times New Roman',serif; background-color:rgb(255,255,255)">
<span style="font-size:10pt; font-family:'Segoe UI',sans-serif; color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none">Technical Lead – Infotainment</span></span><span style="font-size:11pt; font-family:Calibri,sans-serif; color:rgb(0,0,0); text-decoration:none"></span></p>
<p class="x_MsoNormal" style="color:rgb(0,0,0); margin:0in 0in 0.0001pt; font-size:15.5555562973022px; font-family:'Times New Roman',serif; background-color:rgb(255,255,255)">
<span style="font-size:10pt; font-family:'Segoe UI',sans-serif; color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none">Mobile : +918983509995</span></span><strong style="color:rgb(0,0,0); text-decoration:none"><span style="font-size:10pt; font-family:'Segoe UI',sans-serif; color:rgb(0,0,0); text-decoration:none"> </span></strong><span style="font-size:10pt; font-family:'Segoe UI',sans-serif; color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none">| </span></span><span style="font-size:10pt; font-family:'Segoe UI',sans-serif; color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none"></span><a href="mailto:manish.narang@kpit.com" tabindex="-1" disabled="true" id="LPNoLP"><span style="color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none">manish.narang@k</span><span style="color:rgb(0,0,0); text-decoration:none"></span><span style="color:rgb(0,0,0); text-decoration:none">pit.com</span></span></a></span><span style="font-size:11pt; font-family:Calibri,sans-serif; color:rgb(31,73,125); font-size:11pt"></span></p>
<p class="x_MsoNormal" style="margin:0in 0in 0.0001pt; font-size:15.5555562973022px; font-family:'Times New Roman',serif; background-color:rgb(255,255,255)">
<strong style="color:rgb(0,0,0); text-decoration:none"><span lang="EN-IN" style="font-size:11pt; font-family:'Segoe UI',sans-serif; color:rgb(0,0,0); text-decoration:none"><span style="color:rgb(0,0,0); text-decoration:none">————————————————————————————————</span></span></strong><span lang="EN-IN" style="color:rgb(127,127,127); font-size:10pt; font-family:'Segoe UI',sans-serif"><br>
</span><strong style="color:rgb(33,33,33)"><span lang="EN-IN" style="font-size:11pt; font-family:'Segoe UI',sans-serif; color:rgb(89,89,255)">KPIT</span></strong><span lang="EN-IN" style="color:rgb(127,127,127); font-size:11pt; font-family:'Segoe UI',sans-serif">|</span><strong style="color:rgb(33,33,33)"><span lang="EN-IN" style="font-size:9pt; font-family:'Segoe UI',sans-serif; color:rgb(89,89,89)">Web:</span></strong><span lang="EN-IN" style="color:rgb(89,89,89); font-size:9pt; font-family:'Segoe UI',sans-serif"> </span><span lang="EN-IN" style="font-size:9pt; font-family:'Segoe UI',sans-serif"><font color="#5959ff"> <a href="http://www.kpit.com" id="LPNoLP" title="http://www.kpit.com
Ctrl+Click or tap to follow the link">www.kpit.com</a></font></span><span lang="EN-IN" style="color:rgb(89,89,89); font-size:9pt; font-family:'Segoe UI',sans-serif">
| <strong>Social:</strong> </span><span lang="EN-IN" style="color:rgb(31,73,125); font-size:11pt; font-family:Calibri,sans-serif"><a href="http://www.kpit.com/facebook" target="_blank" tabindex="-1" disabled="true" id="LPNoLP"><span style="font-size:9pt; font-family:'Segoe UI',sans-serif; color:rgb(89,89,89)">Facebook</span></a></span><span lang="EN-IN" style="color:rgb(89,89,89); font-size:9pt; font-family:'Segoe UI',sans-serif"> | </span><span lang="EN-IN" style="color:rgb(31,73,125); font-size:11pt; font-family:Calibri,sans-serif"><a href="http://www.kpit.com/twitter" target="_blank" tabindex="-1" disabled="true" id="LPNoLP"><span style="font-size:9pt; font-family:'Segoe UI',sans-serif; color:rgb(89,89,89)">Twitter</span></a></span><span lang="EN-IN" style="color:rgb(89,89,89); font-size:9pt; font-family:'Segoe UI',sans-serif"> | </span><span lang="EN-IN" style="color:rgb(31,73,125); font-size:11pt; font-family:Calibri,sans-serif"><a href="http://www.kpit.com/linkedin" target="_blank" title="http://www.kpit.com/linkedin Ctrl+Click or tap to follow the link" tabindex="-1" disabled="true" id="LPNoLP"><span style="font-size:9pt; font-family:'Segoe UI',sans-serif; color:rgb(89,89,89)">Linkedin</span></a></span><span lang="EN-IN" style="color:rgb(89,89,89); font-size:9pt; font-family:'Segoe UI',sans-serif"> | </span><span lang="EN-IN" style="color:rgb(31,73,125); font-size:11pt; font-family:Calibri,sans-serif"><span style="font-size:9pt; font-family:'Segoe UI',sans-serif; color:rgb(89,89,89)"><a href="http://www.kpit.com/youtube" target="_blank" tabindex="-1" disabled="true" id="LPNoLP">Youtube</a></span></span></p>
</div>
</div>
</div>
</div>
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print,
retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus
infected mails.
</body>
</html>