Don't abuse su for dropping user privileges (2015)

This article is nonsense. I&#x27;m afraid.<p>Firstly, the su program isn&#x27;t standardized by POSIX, so everything we say about it is system-dependent.<p>On the systems where that trick is used, su is documented as having that feature.<p>When su is executed by root (so that its setuid bit is moot), it knows this, and allows a credentials change to a specified account without prompting for a password. This is a feature and the example cron jobs are using it correctly to obtain their desired effect of impersonating that user.<p>su is not &quot;dropping privileges&quot;; it&#x27;s impersonating a specific user, in a command dispatched from a root cron job or other script.<p>Thus all that might be wrong is the <i>rhetoric</i> used to describe the scripts, not what the scripts are actually doing, and only if we are nitpicky.<p>&quot;Dropping privileges&quot; has a strict meaning, referring to the situation that some user <i>bob</i> invoked a setuid root executable, which then disrobes itself of the root privilege, changing its effective-root uid to just <i>bob</i> again.<p>When root changes to another account that is unrelated to the real user ID, nevertheless, that situation fits the description of &quot;dropping privileges&quot; because that account is strictly less privileged than root.<p>&gt; The right way ... Create a small wrapper binary with C<p>That&#x27;s a silly nonstarter.<p>&gt; <i>The new implementation called fork() and only dropped privileges in the child, retaining a privileged account parent process that could call the PAM &quot;user session&quot; cleanup function once the child exited.</i><p>Privileged parents waiting for unprivileged children to terminate is an established pattern in Unix-like systems.<p>E.g. PID 1 (init or systemd) is privileged and handles the termination of everything that has no parent.<p>The author is not connecting the dots here: reporting some actual privilege escalation bug in the use of &quot;su bob command ...&quot;.<p>Interactively, when you are root, you can do this:<p><pre><code> root # su bob &#x2F;home&#x2F;bob$ exit root # </code></pre> This exit back to root is not a security hole, and it is not relevant to the scripted scenario at all. Bob has not actually gained root access. The order of messages on the TTY isn&#x27;t what determines the security context semantics.

I still have some SysV init and I use it to respawn Oracle clients in runlevel 4.<p>I use this C to knock down the privilege from root to the app client account before I execve() the target:<p><pre><code> setfsgid(g); setfsuid(u); if(setgroups(NULL) || setresgid(g,g,g) || setresuid(u,u,u)) { fprintf(stderr, &quot;permissions error\n&quot;); exit(1); } </code></pre> I hope that I did this correctly. Even if incorrect, it&#x27;s worked since 2013.<p>Interesting that the post&#x27;s linked article does not even mention real, effective, and saved user&#x2F;groupIDs.

I assume that is why I see gosu [1] used so often for dropping privileges in Docker containers.<p>It&#x27;s good to have some explanation as to why su is unsuitable for this.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;tianon&#x2F;gosu">https:&#x2F;&#x2F;github.com&#x2F;tianon&#x2F;gosu</a>

The article seems quite unclear about potential consequences of using su this way.<p>I typically use su to run some program in its own user account to ensure:<p>- it has its own homedir and doesn&#x27;t fill mine with garbage.<p>- there is some level of isolation from the rest of the system for security, a basic &quot;jail&quot;. I&#x27;m not trying to protect against targeted attacks from extremely competent threat actors here, but rather trying to stick software into its own user account so it can only access that account, with isolation of the same level as if I had manually logged in to a secondary account.<p>Can such programs break out of their &quot;jail&quot; when using su?<p>Or is the author of the article just angry for other reasons?

So, what is the correct default (nothing self-built, please) command to start a shell using the privilege level of some less privileged user? Setuigid doesn&#x27;t seem to be included by default in distributions.

Writing dæmon instead of daemon is not cute and not clever.