What is the meaning of using EUID?If RUID and EUID of a process is 1000, 0 and if we run any command the command is run as 1000 priviledge level,why?

command-line linux permissions ubuntu setuid

Solution 1:

It allows the process to temporarily raise and lower privileges as it needs.

For example, a file-server daemon (smbd, ftpd) starts as root, but then seteuid()'s to the logged-in user's EUID. Now it can run most of the time with the logged-in user's EUID, letting the kernel apply file access checks, but still be able to raise its privileges back to EUID 0 for certain operations.

But note that when you use system(), this invokes the command through /bin/sh, and the Bash shell deliberately drops privileges whenever it detects an UID/EUID mismatch. Your own setuid process could in fact open /etc/shadow just fine – it's only tools launched through system() that won't be able to.

If you replace all system() calls with fork+exec, or even a simple open("/etc/shadow", O_RDONLY), you will see that having RUID=1000 but EUID=0 allows you to access the file. (Additionally, you will also see id reporting both sets of UID/GID.)

Solution 2:

In general EUID itself works as you expect, the "problem" here is with system(3) and sh it uses. See the manual (man 3 system):

system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2: as a security measure, bash 2 drops privileges on startup. (Debian uses a different shell, dash(1), which does not do this when invoked as sh.)

It turns out the manual is not up-to-date. Nowadays dash behaves like bash. Frankly, I don't know what shell your OS uses as sh (you tagged ubuntu, Ubuntu uses dash; but kali in your question may suggest Kali, I'm not sure what Kali uses). Check with ls -l /bin/sh, it's probably dash. Regardless what it is, it most likely drops privileges and this is the reason of Permission denied you observed.

Even if your sh didn't drop privileges, system() wouldn't be a good idea. The already linked manual explicitly disadvises it:

Do not use system() from a privileged program (a set-user-ID or set-group-ID program, or a program with capabilities) because strange values for some environment variables might be used to subvert system integrity.

Related

Windows 10 won't let me use prntscrn hotkey to use lightshot
Terminated HTTP/2 connections on macOS in Inea ISP
What is the public key in a web server certificate for?
how to roll back OneDrive changes to Desktop, Document, and Pictures folders?
How to set the font size in Emacs?
mat-form-field must contain a MatFormFieldControl
How to find what code is run by a button or element in Chrome using Developer Tools
What represents a double in sql server?
Placing Unicode character in CSS content value [duplicate]
Should I use alias or alias_method?
Why does datetime.datetime.utcnow() not contain timezone information?
Does MySQL ignore null values on unique constraints?