burrows-labs/chuid

=====
chuid
=====

This prototype permits unprivileged processes to change their ruid,euid,suid
and rgid,egid,sgid to any values from a prespecified range.  Normally a
transition from root to an unprivileged credential prevents the process
from changing its IDs again later.  It is possible to retain the CAP_SETUID
capability in the unprivileged process, but the capability is extremely
general in that the process can arbitrarily change its IDs and read/write all
of the system's readable/writeable files.

`chuid` lets the administrator specify a particular set of IDs available to a
subordinate program.

=====
Setup
=====

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:        18.04
Codename:       bionic

$ apt install libcap-dev libcap2

$ make

======
Test A
======

$ id
uid=1000 gid=1000 groups=1000

$ sudo ./chuid 4000 4005 /usr/bin/id
uid=4000 gid=4000 groups=4000

$ echo $?
0

======
Test B
======

$ gcc -xc - <<EOF
> #define _GNU_SOURCE
> #include <stdlib.h>
> #include <stdio.h>
> #include <unistd.h>
> 
> int main() {
>   printf("purple flowers\n");
>   return setresuid(3000, 3000, 3000);
> }
> 
> EOF

$ ./a.out; echo $?
purple flowers
255

$ sudo ./chuid 3000 3000 ./a.out; echo $?
purple flowers
0

=====
Dummy
=====

$ make; sudo ./chuid 2000 2002 ./dummy a b c; echo $?
gcc -std=c99 -g -Wall -Wextra -pedantic chuid.c -o chuid
gcc -std=c99 -g -Wall -Wextra -pedantic dummy.c -o dummy
argv[0] = ./dummy
argv[1] = a
argv[2] = b
argv[3] = c

CHUID_LOW: 2000
CHUID_HIGH: 2002

uid[startup]: (2000, 2000, 2000)
gid[startup]: (2000, 2000, 2000)
supplementary group: 2000

uid[1]: (2000, 2000, 2000)
gid[1]: (2000, 2000, 2000)

uid[2]: (2001, 2001, 2001)
gid[2]: (2001, 2001, 2001)

uid[3]: (2002, 2002, 2002)
gid[3]: (2002, 2002, 2002)

0