Is there a way to change your current UID to equal your EUID?



  • Here is the scenario: running id gives this :

    uid=1001(test1) gid=1001(test1) euid=1000(bl4ckc4t) groups=1001(test1) -

    This means that I am user test1, but my euid is set to another user.

    My goal is to get my uid to change to 1000 from my current position with my euid being 1000.

    The problem is that running something like bash -i will just look at my uid and create a shell based on my uid, not euid.

    The only thing I came up with, which does only work if you have euid=0 is:

    python3 -c 'import pty; import os; os.setuid(0); pty.spawn("/bin/bash")'

    Through python I can change my uid, and it works, except that if I try the equivalent for this case:

    python3 -c 'import pty; import os; os.setuid(1000); pty.spawn("/bin/bash")'

    it throws the exception OSError: out of pty devices

    How can I achieve that change?

    The general restrictions are to change it without uploading binaries, changing /etc/shadow or /etc/passwd. It would also be great if the method works natively and doesn't assume that specific programs, like gcc for example, exist.



  • The Linux system calls to do this are setreuid or setresuid, both available in section 2 of the manual. The difference is that setresuid lets you choose the saved user ID, whereas setreuid sets it automatically.

    If you're using C/C++, this is easy; just #define _GNU_SOURCE and #include ``` (or the equivalent to call the relevant APIs in your language of choice). Languages that allow direct calls into C APIs should be similarly easy; the functions are defined in glibc (which many Linux programs already link against). If you're using another language that wraps the relevant APIs, such as python, consult the documentation for the wrappers in that language.

    To then run another program as that user, either use a member of the exec API family (possibly the execve syscall directly) to become that program, or vfork/clone a new process and then exec inside it, or use system/popen. If not on C/C++, use the suitable program-execution / process-creation API in your language of choice.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2