cups/globals: use getauxval(AT_SECURE) for SUID check

[MaxKellermann]

Comparing effective and real uid/gid is not a proper way to check for SUID execution:

1. this does not consider file capabilities

2. this check breaks when NO_NEW_PRIVS is used as the Linux kernel resets effective ids during execve(); this means the check is false, but the process still has raised capabilities

For more details about the NO_NEW_PRIVS problem, check this post and the surrounding thread:

https://lore.kernel.org/lkml/20250509184105.840928-1-max.kellermann@ionos.com/

[michaelrsweet]

Will do a deeper review next week.

WRT comparing effective and real IDs not being "proper", it would be more correct to say that Linux has added functionality that breaks POSIX compliance and requires OS-specific code to fix.

[MaxKellermann]

that Linux has added functionality that breaks POSIX compliance and requires OS-specific code to fix.

I agree with that. My argument in that thread was that Linux needs to fix this ABI breakage, but the Linux kernel developers do not seem to share my opinionn here. It's an ongoing discussion.

But in any case, whatever they decide, AT_SECURE is the better Linux-specific choice.

[MaxKellermann]

It looks like the discussion has concluded with this (off-list) post from Kees Cook I replied to: https://lore.kernel.org/lkml/CAKPOu+_eL3j9+yaDRMnoCfoyapNSp04rgGaRzpKn9ycbkif_9g@mail.gmail.com/

He wrote:

"classic elevated privilege check" in userspace is just wrong. It's been insufficient to check for euid!=uid for decades.

There is very little support for my proposal to fix the ABI breakage. Sorry, I tried all I could.

[michaelrsweet]

Thanks for the clean PR, LGTM (even if the need for it gives me some heartburn...)