2

I'm a bit new to this, so I'm not sure where to look.

I have access to a server that as a command that executes a limited version of systemctl, and I want to expand it.

The command acts as follows: It allows specific users without sudo rights to execute systemctl. It only allows the user to run systemctl on 3 specific services.

I took a peek at how this was originally accomplished, and the creator of this command made an executable file (ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, for GNU/Linux 3.2.0, stripped) that has is owned by root and has the setuid bit as true. I tried de-compiling the executable and it seems to just check if the user is a specific user and run systemctl as root.

I have two issues:

  1. I'm not sure how to turn this back into valid source code.
  2. I'm concerned about security risks with using the setuid bit.
Gabriel Grinspan
  • 23
  • 2

1 Answers1

1

It's not really clear what you're trying to do as an end goal:

  • Are you trying to reverse engineer a custom compiled binary?
  • OR are you trying to grant systemctl to a non-root user?

Each of those should be composed as their own separate questions.

First, If you are trying to "decompile" a binary executable there is no real easy answer to turn it back into source code and if you have no access to the code or build methods you should just start over building a custom solution or do something else to accomplish your goal. A compiled binary executable doesn't even know what language it was originally written in, let alone being able to turn itself back into source code. You do have some basic ELF info though, so maybe start here: https://reverseengineering.stackexchange.com/

Secondly, to answer your primary question: (ignoring the reverse engineering binaries portion of the question), you can use the existing sudoer system to grant specific "root/sudo" commands to a non-root user. Here is an example sudoers line:

nancy ALL=(ALL) /usr/bin/systemctl restart nginx

This allows the nancy user to run sudo systemctl restart nginx but they are not allowed to do anything else with sudo. You can expand this out as necessary for your use-case and allow the user (or group) to run different specific commands.

Rino Bino
  • 511
  • 5
  • 21
  • 1
    Thank you. The initial plan was to reverse engineer the executable and give the user access to systemctl via another command, but this accomplishes the same end goal. I was able to use `gabe ALL=(ALL) NOPASSWD: /usr/bin/systemctl *my-service`. I also plan on making a bash script that makes this into another command. – Gabriel Grinspan Jan 09 '23 at 17:26