2

Is my assumption true, that on Unix/Linux, the only way to GAIN root access is to execute a setuid-root file?

In other words, the system calls setuid(), setgid() are all about DROPPING privileges?

Please note that my question is not about exploits.

SzG
  • 12,333
  • 4
  • 28
  • 41
  • Yes, and that is why [setuid](http://en.wikipedia.org/wiki/Setuid) is about – Basile Starynkevitch Feb 25 '14 at 17:17
  • Well, one can also "gain" root access by forking from a root process. The problem is that any process that you _could_ conceivably fork from either has already dropped root privilegues long before giving control to your process (think init) or was itself forked from a process that dropped privilegues earlier (think bash). – Damon Feb 25 '14 at 17:39
  • By GAIN I mean that a non-root process becomes a root process. Not that a root process creates another root process. – SzG Feb 25 '14 at 17:42

1 Answers1

2

That's true. The only way for a non-root process (assuming it's running a non-setuid program) to become root is to exec a setuid program. If it's running a set-uid root program, then its effective uid is root and real uid is whoever ran it. It can then do setuid(0) to make its real uid 0.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
mlv
  • 580
  • 4
  • 10