Skip to content
Advertisement

is shell_exec() sub-process supposed to inherit euid?

i’m running php-cli 7.3.19 as root (on a Debian 10 Buster, linux kernel 4.19.0-8-amd64), and after using posix_seteuid() to change my euid, is sub-processes supposed to inherit my euid?

i thought the answer was yes, but testing it,

root@devdb:/srv/http/easyad_branches# whoami
root
root@devdb:/srv/http/easyad_branches# id
uid=0(root) gid=0(root) groups=0(root)
root@devdb:/srv/http/easyad_branches# php -r ' 
var_dump(posix_seteuid(posix_getpwnam("www-data")["uid"])); 
var_dump(shell_exec("whoami;id"));  
posix_seteuid(0); 
var_dump(posix_setuid(posix_getpwnam("www-data")["uid"]));  
var_dump(shell_exec("whoami;id"));'
bool(true)
string(44) "root
uid=0(root) gid=0(root) groups=0(root)
"
bool(true)
string(53) "www-data
uid=33(www-data) gid=0(root) groups=0(root)
"

it seems whoami inherits my uid as it’s euid, rather than inheriting my euid as it’s euid, is that intended behavior?

to say it in another way, i got bool(true) root bool(true) www-data , but i expected bool(true) www-data bool(true) www-data , is my expectations wrong, or is there something else going on?

Advertisement

Answer

it seems whoami inherits my uid as it’s euid, rather than inheriting my euid as it’s euid, is that intended behavior?

I’m not 100% sure about PHP, but in programming languages directly calling Linux system calls (such as C or C++) this behavior is normal.

One well-known side-effect of this behavior is that setting the set-euid bit to a shell script makes no sense (as long as the “normal” shell – e.g. bash – is used):

The shell (e.g. /bin/sh) would be started with euid set to a different UID, but the programs started by the shell would have both euid and uid set to the uid value of the shell, which is the UID of the user that started the script…

User contributions licensed under: CC BY-SA
8 People found this is helpful
Advertisement