The Linux Page

FATAL: The application binary appears to be running setuid, this is a security hole.

A Fatal Error...

Today I found out that Qt actually checks the executable setuid flag. If that flag is set, then it generates a fatal error in your console as so:

FATAL: The application binary appears to be running setuid, this is a security hole.

Then it aborts the process as we can see on the following line:

Aborted (core dumped)

If you have core dumped turned on, then it will also generate a core dump about it.

The error is very sensible and actually well explain in the documentation:

Qt is not an appropriate solution for setuid programs due to its large attack surface. However some applications may be required to run in this manner for historical reasons. This flag will prevent Qt from aborting the application when this is detected, and must be set before a QCoreApplication instance is created.

Of course, "a large attack surface" doesn't mean much to most of us. But more or less, view it as it's very easy for a hacker to plug a few things here and there and take over your Qt task. So now you have it: Qt is NOT a secure solution to anything with a network connection. I'm glad to know that it was a very good idea not to use the Qt TCP implementation.

The error happens when you initialize the Qt application. If you use any extended Qt classes, such as QXml which uses the QTextDecoder, then you have an exteneded class in your program and to make sure it is properly initialize before you use it (and especially if you have multiple threads), you want to initializes your Qt application.

If like us you have a server, you use the low level function like so:

QCoreApplication app(argc, argv);

This is the line of code that causes the error shown above.

To avoid the error, you need to tell Qt that you're okay with the setuid like so:

QCoreApplication::setSetuidAllowed(true);
QCoreApplication app(argc, argv);

Now we have two lines instead of one, but our setuid application starts as expected.

As for the referenced security issue, since we are not running a Qt app per se, I'm not too worried. As I just mentioned, I make use of some advanced features such as loading XML files which require initialization or your software may crash (especially if you have multiple threads—i.e. the initialization of Qt is not thread safe!)