Ptrace suid process (after it prevails)

Question

Ptrace suid process (after it prevails)

I understand that we cannot do ptrace in suid binaries. However, I am wondering why we cannot do ptrace after the binary quotes prevail in uid instead of euid.

For example, in a binary binary, the suid-binary password goes after a few steps.

 seteuid (euid); /* euid was obtained by geteuid() */
 ret_chdir = chdir (path);
 seteuid (ruid); /* ruid was obtained by getuid() */

 system("whoami");
 printf("Enter any char");
 scanf("%c", &junk);

In my case, when "whoami" is printed, this is the process user name, but not the process owner. When the program expects spam input, I try to connect to the current process with uid as the username, but it failed, even though the binary refused this privilege. Is it possible that ptrace attach uses the saved-uid state to decide that I am not the owner?

+4

linux memory process ptrace

user3150318 May 19, '16 at 20:40

source share

1 answer

Shachar shemesh · Answer 1 · 2016-06-27T07:37:45+0000

Your yama ptrace area probably prevents you from joining the process. In fact, most Linux kernels today by default do not allow joining arbitrary processes.

A process may ask to track its parent element ( ptrace(PTRACE_TRACEME)), but if you want to use it PTRACE_ATTACH, you either need this process to indicate prctlthat it wants your process to connect to it or the yama area should be set to 0 (or your process can run as root, of course).

Ptrace suid process (after it prevails)

More articles: