[英]setuid on an executable doesn't seem to work
I wrote a small C utility called killSPR
to kill the following processes on my RHEL box. 我写了一个名为
killSPR
的小C实用程序来杀死RHEL盒子上的以下进程。 The idea is for anyone who logs into this linux box to be able to use this utility to kill the below mentioned processes (which doesn't work - explained below). 这个想法适用于登录这个linux盒子的人能够使用这个实用程序杀死下面提到的进程(这不起作用 - 如下所述)。
cadmn@rhel /tmp > ps -eaf | grep -v grep | grep " SPR "
cadmn 5822 5821 99 17:19 ? 00:33:13 SPR 4 cadmn
cadmn 10466 10465 99 17:25 ? 00:26:34 SPR 4 cadmn
cadmn 13431 13430 99 17:32 ? 00:19:55 SPR 4 cadmn
cadmn 17320 17319 99 17:39 ? 00:13:04 SPR 4 cadmn
cadmn 20589 20588 99 16:50 ? 01:01:30 SPR 4 cadmn
cadmn 22084 22083 99 17:45 ? 00:06:34 SPR 4 cadmn
cadmn@rhel /tmp >
This utility is owned by the user cadmn
(under which these processes run) and has the setuid flag set on it (shown below). 该实用程序由用户
cadmn
(运行这些进程)拥有,并在其上设置了setuid标志(如下所示)。
cadmn@rhel /tmp > ls -l killSPR
-rwsr-xr-x 1 cadmn cusers 9925 Dec 17 17:51 killSPR
cadmn@rhel /tmp >
The C code is given below: C代码如下:
/*
* Program Name: killSPR.c
* Description: A simple program that kills all SPR processes that
* run as user cadmn
*/
#include <stdio.h>
int main()
{
char *input;
printf("Before you proceed, find out under which ID I'm running. Hit enter when you are done...");
fgets(input, 2, stdin);
const char *killCmd = "kill -9 $(ps -eaf | grep -v grep | grep \" SPR \" | awk '{print $2}')";
system(killCmd);
return 0;
}
A user ( pmn
) different from cadmn
tries to kill the above-mentioned processes with this utility and fails (shown below): 与
pmn
不同的用户( pmn
)尝试使用此实用程序cadmn
上述进程并失败(如下所示):
pmn@rhel /tmp > ./killSPR
Before you proceed, find out under which ID I'm running. Hit enter when you are done...
sh: line 0: kill: (5822) - Operation not permitted
sh: line 0: kill: (10466) - Operation not permitted
sh: line 0: kill: (13431) - Operation not permitted
sh: line 0: kill: (17320) - Operation not permitted
sh: line 0: kill: (20589) - Operation not permitted
sh: line 0: kill: (22084) - Operation not permitted
pmn@rhel /tmp >
While the user waits to hit enter above, the process killSPR
is inspected and is seen to be running as the user cadmn
(shown below) despite which killSPR is unable to terminate the processes. 当用户等待上面的输入时,检查进程
killSPR
并且看作是作为用户cadmn
运行(如下所示),尽管killSPR无法终止进程。
cadmn@rhel /tmp > ps -eaf | grep -v grep | grep killSPR
cadmn 24851 22918 0 17:51 pts/36 00:00:00 ./killSPR
cadmn@rhel /tmp >
BTW, none of the main partitions have any nosuid
on them 顺便说一句,没有一个主要分区有任何
nosuid
pmn@rhel /tmp > mount | grep nosuid
pmn@rhel /tmp >
The setuid flag on the executable doesn't seem to have the desired effect. 可执行文件上的setuid标志似乎没有所需的效果。 What am I missing here?
我在这里错过了什么? Have I misunderstood how setuid works?
我误解了setuid是如何工作的吗?
You should replace your system
call with exec
call. 您应该使用
exec
调用替换您的system
调用。 Manual for system
say's it drops privileges when run from suid program. system
手册说它从suid程序运行时删除了权限。
The reason is explained in man system
: 原因在
man system
解释:
Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity.
不要使用具有set-user-ID或set-group-ID权限的程序中的system(),因为某些环境变量的奇怪值可能会用于破坏系统完整性。 Use the exec(3) family of func‐ tions instead, but not execlp(3) or execvp(3).
使用exec(3)系列函数代替,但不使用execlp(3)或execvp(3)。 system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.
事实上,system /)在/ bin / sh为bash版本2的系统上具有set-user-ID或set-group-ID权限的程序无法正常工作,因为bash 2在启动时删除了特权。 (Debian uses a modified bash which does not do this when invoked as sh.)
(Debian使用修改后的bash,当调用sh时不会这样做。)
If you replace system
with exec
you will need to be able to use shell syntax unless you call /bin/sh -c <shell command>
, this is what is system
actually doing. 如果用
exec
替换system
,除非你调用/bin/sh -c <shell command>
,否则你需要能够使用shell语法,这就是system
实际做的事情。
Check out this link on making a shell script a daemon: 查看有关使shell脚本成为守护程序的链接:
Best way to make a shell script daemon? 制作shell脚本守护进程的最佳方法是什么?
You might also want to google some 'linux script to service' , I found a couple of links on this subject. 您可能还想谷歌一些'linux脚本服务' ,我找到 了几个关于这个主题的链接 。
The idea is that you wrap a shell script that has some basic stuff in it that allows a user to control a program run as another user by calling a 'service' type script instead. 这个想法是你包装一个shell脚本,里面有一些基本内容,允许用户通过调用'service'类型脚本来控制作为另一个用户运行的程序。 For example, you could wrap up
/usr/var/myservice/SPRkiller
as a 'service' script that could then just be called as such from any user: service SPRkiller start
, then SPRkiller
would run, kill the appropriate services (assuming the SPR 'program' is run as a non-root user). 例如,您可以将
/usr/var/myservice/SPRkiller
为“服务”脚本,然后可以从任何用户调用它: service SPRkiller start
,然后SPRkiller
将运行,杀死相应的服务(假设SPR 'program'作为非root用户运行)。
This is what it sounds like you are trying to achieve. 这就是你想要实现的目标。 Running a program (shell script/C program/whatever) carries the same user restrictions on it no matter what (except for escalation bugs/hacks).
运行程序(shell脚本/ C程序/无论如何)无论如何都会对其进行相同的用户限制(除了升级错误/黑客攻击)。
On a side note, you seem to have a slight misunderstanding of user rights on Linux/Unix as well as what certain commands and functions do. 另外,您似乎对Linux / Unix上的用户权限以及某些命令和函数的作用略有误解。 If a user does not have permissions to do a certain action (like
kill
the process of another user), then calling setuid
on the program you want to kill
(or on kill
itself) will have no effect because the user does not have permission to another users 'space' without super user rights. 如果用户没有权限执行某个操作(比如
kill
另一个用户的进程),那么在你要kill
的程序(或者kill
)上调用setuid
将没有任何效果,因为用户没有权限没有超级用户权限的另一个用户空间。 So even if you're in a shell script or a C program and called the same system
command, you will get the same effect. 因此,即使您使用的是shell脚本或C程序并调用相同的
system
命令,您也会获得相同的效果。
http://www.linux.com/learn/ is a great resource, and here's a link for file permissions http://www.linux.com/learn/是一个很好的资源,这里有一个文件权限链接
hope that helps 希望有所帮助
First and foremost, setuid bit
simply allows a script to set the uid
. 首先,
setuid bit
只允许脚本设置uid
。 The script still needs to call setuid()
or setreuid()
to run in the the real uid
or effective uid
respectively. 该脚本仍需要调用
setuid()
或setreuid()
以分别在real uid
或effective uid
运行。 Without calling setuid()
or setreuid()
, the script will still run as the user who invoked the script. 如果不调用
setuid()
或setreuid()
,脚本仍将以调用脚本的用户身份运行。
Avoid system
and exec
as they drop privileges for security reason. 避免
system
和exec
因为他们出于安全原因删除权限。 You can use kill()
to kill the processes. 您可以使用
kill()
来终止进程。
Check These out. 检查这些。
http://linux.die.net/man/2/setuid http://linux.die.net/man/2/setuid
http://man7.org/linux/man-pages/man2/setreuid.2.html http://man7.org/linux/man-pages/man2/setreuid.2.html
http://man7.org/linux/man-pages/man2/kill.2.html http://man7.org/linux/man-pages/man2/kill.2.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.