Skip to content

getresuid16

Intro

getresuid16 - get the real user, effective user, and saved-set user IDs of the calling process

Description

The getresuid16 system call is used to get the current real user ID, effective user ID, and saved-set user ID of the calling process. This is useful for probing the security context of the running process, as the context changes when different user IDs are used. The real user ID is the original user ID of the process and cannot be changed; the effective user ID is what the process uses to determine file permissions, and the saved-set user ID is the user ID used when the effective user ID is reset, such as when the process drops privileges.

Since the kernel view of user IDs is 32-bit while the user space view of them is 16-bit, this system call allows for the conversion between the two views.

Arguments

  • ruid:old_uid_t*[KU] - a pointer to a user-space memory where the real user ID of the calling process is written to. The pointer must be 16-bit.
  • euid:old_uid_t*[KU] - a pointer to a user-space memory where the effective user ID of the calling process is written to. The pointer must be 16-bit.
  • suid:old_uid_t*[KU] - a pointer to a user-space memory where the saved-set user ID of the calling process is written to. The pointer must be 16-bit.

Available Tags

  • K – Originated from kernel-space.
  • U – Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU – Vulnerable to TOCTOU (time of check, time of use)
  • OPT – Optional argument – might not always be available (passed with null value)

Hooks

sys_getresuid16

Type

Kprobe + Uprobe

Purpose

Hooked to get the real, effective and saved-set user IDs of the calling process.

Example Use Case

This event can be used to monitor privileged processes, such as daemons, to ensure that they are running with the appropriate level of authority.

Issues

Because this system call is only intended to perform a conversion between kernel and user space views of the user ID, it is vulnerable to TOCTOU attacks.

  • getresgid16 - get the real group, effective group, and saved-set group IDs of the calling process.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.