Question regarding blocking set[ug]id on processes including via suid executables
From: Vito Caputo
Date: Tue May 12 2020 - 05:45:26 EST
Hello folks,
I'm curious if someone knows a way to do this using existing linux
interfaces.
I'd like to create a login lacking the ability to switch uid/gid.
Even if the process has access to suid executables like /bin/su, and
the user has the root password, I'd like the descendant processes of
their login to be simply incapable of changing uid/gid, even when it's
in the form of running a program w/suid bit set on an existing and
accessible executable in the filesystem. No matter what, it just
can't happen.
Do we have any such thing today? I'd really like to be able to set
this on a specific user and all logins of that user are simply stuck
on that uid no matter what.
Thanks in advance,
Vito Caputo