Re: how to list supplementary groups?

[Bob Proulx]

Adrian Buciuman wrote:
> Alfred M. Szmidt wrote:
> >   So how can I find the supplementary groups of process 4321 using id
> >   or groups?  It does't seem to be possible.
> >
> > You'd need to hack a bit for that to work.  Something like I dunno:
> >
> > address@hidden:~$ id `ps -up 2551|tail -n1|awk '{print $1}'`
> > uid=30270(ams) gid=134(update) groups=134(update)
> >
> > Replace 2551 with your process.

That is the type of solution I would have suggested too.  In general I
don't think there is a portable way to do this.  [Your suggestion of
using 'ps -up 2551' is not portable.  According to POSIX the -u is
followed by a username and so this would ask for processes of user
"x".]  I would probably suggest something like this:

  id $(ps -fp $$ | awk '$2=='$$'{print$1}')

> This gives me the groups my process should have, not the ones it
> actually has.

Right.  When you first asked about "the running processes" I read that
as "the running process" and so made suggestions accordingly.  But
upon reading again I don't think there is a way to get the information
you area asking about.  It is completely dependent upon the kernel
providing an interface to make that available.  In legacy Unix kernels
there would be kernel specific pstat(2) system calls.  In the Linux
kernel it would be possible to poke around in /proc and perhaps this
information might be available.

> See:
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0787

  LPRng in Red Hat Linux 7.0 and 7.1 does not properly drop memberships
  in supplemental groups when lowering privileges, which could allow a
  local user to elevate privileges.

But that is quite old.  RH7.1 released 4 Apr 2001.  That would have
probably used rsync-2.4.6 from 6 Sep 2000.  There can be a lot of
learning and improvement in five years.

> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0080

  rsync, when running in daemon mode, does not properly call setgroups
  before dropping privileges, which could provide supplemental group
  privileges to local users, who could then read certain files that
  would otherwise be disallowed.

> How can a system administrator check that things like this don't
> happen on his/her box?

To be able to get this information from the running process would need
support from the kernel.  Best to ask a kernel expert.  But poking
around in the Linux kernel specific /proc areas I found the following.

  grep Groups /proc/$$/status
  Groups: 4 20 24 25 29 40 44 50 109 1000 

So apparently this information is readily available from the Linux
kernel for any process.  On my Debian Sarge/stable machine with a
running rsync-2.6.4 daemon process:

  grep Groups /proc/$(ps -e | awk '$NF=="rsync"{print$1}')/status
  Groups:

So I am not able to observe the problem listed in the CVE on my
system.

Hope that helps.
Bob