getresgid - gets the real, effective and saved user group IDs of the calling process
The getresgid() is used to get the current real, effective and saved user group ids of the calling process. These values are stored in the different parameters passed as pointers to the getresgid() syscall, and can be used for different process management operations, such as setting or rescinding privileges of specific users or groups, as well as for user authentication. The group IDs are stored as gid_t type values, which should be capable of holding the group IDs used in the system.
There are some edge-cases that have to be taken into consideration when using getresgid() from within the kernel or from user space. In the kernel, getresgid() might return -1 if there is an error in accessing the user group ids, while from user space this is a valid return value. Furthermore, when using getresgid() from user space, the real, effective and saved user group ids should all be valid, as the kernel will check them against the user IDs in the system.
gid_t*[K] - pointer to a gid_t type value where the real user group id of the calling process is stored.
gid_t*[K] - pointer to a gid_t type value where the effective user group id of the calling process is stored.
gid_t*[K] - pointer to a gid_t type value where the saved user group id of the calling process is stored.
- K - Originated from kernel-space.
kprobe + ftrace
Hooking the ptrace_traceme function with both kprobes and ftrace allows for more precise control over the tracing of processes.
Example Use Case¶
Suppose we want to authenticate a user, as well as ensure that all privileges given to his user should only be used within a certain context. We can use the getresgid() syscall to get the real, effective and saved user group ids, and compare them with the ones stored in the system. If they match, the user is authenticated, and if not, the user has to be rejected.
getresgid() is vulnerable to TOCTOU issues when used from user space, as the gid_t values could be manipulated between the time the user checks them and the time he uses them.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.