0

I'm studing Set-UID Privileged Programs, and it seems that a program executes with a its own owner privilegies. Example: passwd can read/write the shadow file because it belongs to a root user. How can i find this kind of information for other programs?

André Vinícius Bezerra
  • 68
  • 7

2 Answers2

0

Use getuid(2), geteuid(2), getresuid(2) and the corresponding setuid(2), setreuid(2) appropriately. See also capabilities(7) and credentials(7) & carefully execve(2). Read about proc(5)

Read the Setuid wikipage. A process running a setuid executable can call seteuid to gain privilege.

Basile Starynkevitch
  • 223,805
  • 18
  • 296
  • 547
  • My problem is somthing like this: Run Set-UID shell programs in Linux, and describe and explain your observations. (a) Login as root, copy /bin/zsh to /tmp, and make it a set-root-uid program with permission 4755. Then login as a normal user, and run /tmp/zsh. Will you get root privilege? Please describe your observation. If I moved as a root, it means that the program has roots privilegies, rigth? But Im looking for a way to prove it! – André Vinícius Bezerra Aug 30 '14 at 20:16
  • If you are `root` you can do stuff like `mkdir /hacked` which regular users cannot. (Remember to clean up after yourself.) – tripleee Sep 01 '14 at 04:35
  • 1
    The `/tmp` filesystem is however often mounted so that the setuid bit on binaries is not respected there. This is a security feature to disable precisely this sort of hack. `mount | grep nosuid` – tripleee Sep 01 '14 at 04:38
0

When you set user identification (the 4755 mode) permission to an executable file, a process that runs this file is granted access based on the owner of the file.

In this case you copy /bin/zsh as root user and then set the 4755 mode, /tmp/zsh so will give root privileges to the user that will run the file rather than user privileges.

This special permission allows a user to access files and directories that are normally only available to the owner.

Have you tried to make what you have been asked?

giusc
  • 103
  • 3
  • My try is something like that: i used a root user to copy the file (zsh), and i tried to execute as a normal user. So, i did a program, that executes a command (in this example, a passwd command). My idea, if this command is running as root, i could change an other users password. A root user can do that, so if I can do that as a normal user running this script, it's a obvious break of security. But... there's no way do that. I tried to make a root user as a owner of this program, but i can't execute this properly as a normal user (with no root privilegies). – André Vinícius Bezerra Sep 01 '14 at 00:21