I know that OpenBSD has striven to limit the number of setuid binaries in its suite of software for security reasons. However, I am not under the impression that the SUID Bit no longer affects the effective user-id when the binary is run -- this would mean that the bit does nothing, and even the few setuid programs left in OpenBSD would not work correctly.
I encountered this bug using a fresh install of OpenBSD 5.3 as a guest OS on Parallels for Mac: $ uname -a OpenBSD openbsd.localdomain 5.3 GENERIC#53 amd64 To my surprise, a binary file owned by root with its SUID bit set runs with UIDs as if the SUID was not set. That is, when UID 1000 runs such a program, the program starts in state: <real_uid, effective_uid, saved_uid> = <1000, 1000, 1000> and not in state: <real_uid, effective_uid, saved_uid> = <1000, 0, 0> as expected. Here are the details regarding how I found the issue: I have written an interactive C program for evaluating setuid behaviour in different Unix systems. The program is compiled using: gcc -o setuid_min.bin setuid_min.c The program lives in a subdirectory of UID 1000's home directory, and the sudo command is used to change ownership and SUID; then the program is run and I enter "uid" to report the real, effective, and saved UIDs of the process: $ sudo chown root:staff setuid_min.bin $ ls -l | grep 'setuid_min\.bin$' -rwxr-xr-x 1 root staff [...] setuid_min.bin $ sudo chmod a+s setuid_min.bin $ ls -l | grep 'setuid_min\.bin$' -rwsr-sr-x 1 root staff [...] setuid_min.bin $ ./setuid_min.bin uid 1000 1000 1000 some_pid exit $ Note that some_pid above is the pid of the setuid_min.bin process. The program reports the real UID, effective UID, and saved UID by reporting the output of the following shell command: ps -ao ruid,uid,svuid,pid | grep '[ ]my_pid$' where my_pid is the pid is reported by getpid(). As far as I understand, the program should be reporting "1000 0 0 some_pid", and not "1000 1000 1000 some_pid". Sincerely, Mark Dittmer [demime 1.01d removed an attachment of type text/x-csrc which had a name of setuid_min.c]
