Geek Answers Handbook

Setuid on executable doesn't seem to work

I wrote a small C utility called killSPR to kill the following processes in my RHEL field. The idea is that anyone who enters this Linux box can use this utility to kill the processes described below (which does not work is explained below).

 cadmn@rhel /tmp > ps -eaf | grep -v grep | grep " SPR " cadmn 5822 5821 99 17:19 ? 00:33:13 SPR 4 cadmn cadmn 10466 10465 99 17:25 ? 00:26:34 SPR 4 cadmn cadmn 13431 13430 99 17:32 ? 00:19:55 SPR 4 cadmn cadmn 17320 17319 99 17:39 ? 00:13:04 SPR 4 cadmn cadmn 20589 20588 99 16:50 ? 01:01:30 SPR 4 cadmn cadmn 22084 22083 99 17:45 ? 00:06:34 SPR 4 cadmn cadmn@rhel /tmp >

This utility belongs to the cadmn user (under which these processes are executed), and the setuid flag is set on it (shown below).

 cadmn@rhel /tmp > ls -l killSPR -rwsr-xr-x 1 cadmn cusers 9925 Dec 17 17:51 killSPR cadmn@rhel /tmp >

C code is given below:

 /* * Program Name: killSPR.c * Description: A simple program that kills all SPR processes that * run as user cadmn */ #include <stdio.h> int main() { char *input; printf("Before you proceed, find out under which ID I'm running. Hit enter when you are done..."); fgets(input, 2, stdin); const char *killCmd = "kill -9 $(ps -eaf | grep -v grep | grep \" SPR \" | awk '{print $2}')"; system(killCmd); return 0; }

A user ( pmn ) other than cadmn tries to kill the above processes with this utility and does not work (shown below):

 pmn@rhel /tmp > ./killSPR Before you proceed, find out under which ID I'm running. Hit enter when you are done... sh: line 0: kill: (5822) - Operation not permitted sh: line 0: kill: (10466) - Operation not permitted sh: line 0: kill: (13431) - Operation not permitted sh: line 0: kill: (17320) - Operation not permitted sh: line 0: kill: (20589) - Operation not permitted sh: line 0: kill: (22084) - Operation not permitted pmn@rhel /tmp >

While the user is waiting to press Enter, the killSPR process killSPR checked and, as seen, works as the cadmn user (shown below), despite the fact that killSPR cannot terminate the processes.

 cadmn@rhel /tmp > ps -eaf | grep -v grep | grep killSPR cadmn 24851 22918 0 17:51 pts/36 00:00:00 ./killSPR cadmn@rhel /tmp >

By the way, none of the main sections have nosuid on them

 pmn@rhel /tmp > mount | grep nosuid pmn@rhel /tmp >

The setuid flag in the executable does not seem to have the desired effect. What am I missing here? I misunderstood how setuid works?

+6
source share
3 answers

First of all, setuid bit just allows the script to set the uid . The script still needs to call setuid() or setreuid() to run in real uid or effective uid respectively. Without calling setuid() or setreuid() script will still be executed as the user who called the script.

Avoid system and exec as they drop privileges for security reasons. You can use kill() to kill processes.

Check them out.

http://linux.die.net/man/2/setuid

http://man7.org/linux/man-pages/man2/setreuid.2.html

http://man7.org/linux/man-pages/man2/kill.2.html

+1
source

Check out this link to create a daemon script shell:

Best way to make daemon script shell?

You may also need a google 'linux script for maintenance , I found a couple of links on this.

The idea is that you end up with a shell script that has some basic things that allow a user to control a program that runs as another user, instead of calling the script “service” type instead. For example, you can wrap /usr/var/myservice/SPRkiller as a “service” script, which can then be simply service SPRkiller start by any user as such: service SPRkiller start , then SPRkiller will start, kill the corresponding services (provided that SPR ' the program 'runs as a non-root user.)

This is what sounds like you are trying to achieve. Running a program (shell script / C program / whatever) bears the same user restrictions regardless of what (except for escalating errors / hacks).

On the other hand, you seem to slightly underestimate user rights on Linux / Unix, as well as what certain commands and functions do. If the user does not have rights to perform a certain action (for example, kill another user's process), calling setuid in the program you want to use kill (or in kill ) will have no effect because the user does not have the right to another user space " without superuser rights, therefore, even if you are in a shell script or in a C program and call the same system command, you will get the same effect.

http://www.linux.com/learn/ is an excellent resource, and here is a link to file permissions

hope that helps

+2
source

You must replace the system call with the exec call. The manual for system talks about reducing privileges when starting from the suid program.

The explanation is explained in the man system :

Do not use system () from a program with set-user-ID or set-group-ID privileges, as strange values ​​for some environment variables can be used to destroy system integrity. Use the exec (3) family of functions and not execlp (3) or execvp (3). system () in fact, it is correct to work with programs with set-user-ID or set-group-ID privileges on systems on which / bin / sh has bash version 2, since bash 2 reduces privileges at startup. (Debian uses a modified bash that doesn’t do this when invoked as sh.)

If you replace system with exec , you will need to use shell syntax, unless you call /bin/sh -c <shell command> , this is what system really does.

+1
source

More articles:


All Articles