Linux删除root权限 - C脚本
[英]Linux dropping root permissions - C script
问题描述
I have the following C script running in linux (Ubuntu 12.0.4) as a set root UID script (chmod 4755) 
我在Linux(Ubuntu 12.0.4)中运行以下C脚本作为设置根UID脚本(chmod 4755)
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
void main()
{ int fd;
/* Assume that /etc/zzz is an important system file,
* and it is owned by root with permission 0644.
* Before running this program, you should create
* the file /etc/zzz first. */
fd = open("/etc/zzz", O_RDWR | O_APPEND);
if (fd == -1) {
printf("Cannot open /etc/zzz\n");
exit(0);
}
/* Simulate the tasks conducted by the program */
sleep(1);
/* After the task, the root privileges are no longer needed, it’s time to relinquish the root privileges
permanently. */
setgroups(0, NULL);
setregid(getgid());
setreuid(getuid()); /* getuid() returns the real uid */
if(setregid(getgid()) == 0){
printf("Still root GID!\n");
exit(0);
} if(setreuid(getuid()) ==0){
printf("Still root UID\n");
exit(0);
if (fork()) { /* In the parent process */
close (fd);
exit(0);
} else { /* in the child process */
/* Now, assume that the child process is compromised,
malicious attackers have injected the following
statements into this process */
write (fd, "Malicious Data\n", 15);
close (fd);
}
}
As far as I can see, it should be setting the permissions back to the real user (ID 1000) but I am getting the "Still root" errors. 据我所知,它应该将权限设置回真实用户(ID 1000),但我得到“Still root”错误。
I have tried inserting setuid(1000) and setuid(0) just about the setgroups to remove any saved UID issues, but that just allows it to bypass the if statements, but still allows the "Malicious Data" to be written. 我尝试插入setuid(1000)和setuid(0)只是关于setgroups来删除任何已保存的UID问题,但这只是允许它绕过if语句,但仍然允许写入“恶意数据”。
I have also tried closing the file close(fd) before dropping permissions, as I was unsure if you'd be unable to edit permissions whilst a file opened as root was still open. 我还尝试在删除权限之前关闭文件close(fd) ,因为我不确定在以root身份打开的文件仍处于打开状态时是否无法编辑权限。 But I was still having the same issue 但我仍然有同样的问题
Any ideas as to what I am doing wrong here? 关于我在这里做错了什么想法? And why it isn't working? 为什么它不起作用?
1 个解决方案
解决方案1
3 已采纳 2017-10-02 23:40:16
I assume you run the program with sudo . 我假设你用sudo运行程序。 In that case, getuid will return 0. You'd have to explicitly call set the uid to the desired (eg 1000) uid. 在这种情况下, getuid将返回0.您必须显式调用将uid设置为所需的(例如1000)uid。
Also, "Malicious Data\\n" will be written because the fd was already opened when the process had elevated permissions, and you can still write there even if your process lost permissions. 此外,将写入"Malicious Data\\n"因为当进程具有提升的权限时fd已经打开,即使您的进程失去了权限,您仍然可以在那里写入。 The process now cannot open the file again. 此过程现在无法再次打开文件。
Everything is according to spec: if you want to disallow the process from writing to the file, make sure to close it before dropping permissions. 一切都是根据规范:如果你想禁止进程写入文件,请确保在删除权限之前关闭它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.