如何设置 SUID 位以授予 root 权限?
[英]How to set the SUID bit to grant root privileges?
问题描述
my question is super beginner, In my C program.
我的问题是超级初学者,在我的 C 程序中。 I want to set the SUID bit (root permission) before creating a raw socket and then I want to switch back to normal permission after I have created it.我想在创建原始套接字之前设置 SUID 位(root 权限),然后我想在创建它之后切换回正常权限。 Before I used to run my code using command sudo./client which gave the whole executable root permissions.在我使用命令sudo./client运行我的代码之前,它赋予了整个可执行的 root 权限。 I want to give root permissions only to the point where I create the socket, so that I can run my code using simply ./client .我只想将 root 权限授予创建套接字的位置,以便我可以简单地使用./client运行我的代码。
EDIT: Realized that I have to set the SUID bit and not the sticky bit for how I want the executable to behave.编辑:意识到我必须为我希望可执行文件的行为设置 SUID 位而不是粘性位。
1 个解决方案
解决方案1
2 已采纳 2020-07-22 04:26:15
The original version of the question was confusing the sticky bit ( S_ISVTX ) with the SUID or set UID bit ( S_ISUID ).问题的原始版本将粘性位( S_ISVTX )与 SUID 或设置 UID 位( S_ISUID )混淆了。 It has since been updated.它已经被更新了。
To make the program run with root privileges while creating the raw socket, you would create your executable by compiling it as normal, and then have root take ownership of the executable ( chown root./client ) and set the permissions ( chmod 4555./client ).要使程序在创建原始套接字时以 root 权限运行,您可以通过正常编译它来创建可执行文件,然后让root获得可执行文件的所有权( chown root./client )并设置权限( chmod 4555./client )。 Note that the permissions are carefully chosen and do not allow either group or others to write to the program (modify the executable).请注意,权限是经过仔细选择的,不允许任何组或其他人写入程序(修改可执行文件)。 The fact that the owner, root , has no write permission does not stop root from writing to the file — though root won't want to change it often.所有者root没有写入权限这一事实并不能阻止root写入文件——尽管root不想经常更改它。 Normally, root would copy the program to some directory where ordinary users cannot make changes.通常, root会将程序复制到普通用户无法更改的某个目录。 That might conceivably be /usr/local/bin , or it might be somewhere else.这可能是/usr/local/bin ,或者它可能在其他地方。
Note that the permissions are set on the executable, not the source code (see the original version of the question), and must be set before the program is run.请注意,权限是在可执行文件上设置的,而不是源代码(请参阅问题的原始版本),并且必须在程序运行之前设置。
Inside the program, after creating the raw socket, you could remove the root privileges, thereby avoiding many security issues in the code after that, by executing: setuid(getuid()) .在程序内部,在创建原始套接字之后,您可以删除root权限,从而避免之后代码中的许多安全问题,方法是执行: setuid(getuid()) 。 This changes the effective UID back to the same as the real UID.这会将有效 UID 更改回与真实 UID 相同的状态。 Note that the POSIX specification for setuid() says:请注意, setuid()的 POSIX 规范说:
If the process has appropriate privileges,
setuid()shall set the real user ID, effective user ID, and the saved set-user-ID of the calling process to uid .setuid()应将调用进程的真实用户 ID、有效用户 ID 和保存的 set-user-ID 设置为uid 。
A program that is SUID to root has 'appropriate privileges'; SUID 到root的程序具有“适当的权限”; there is no going back.没有回头路了。 Using seteuid() (as originally suggested) would not be as safe as using setuid() .使用seteuid() (如最初建议的那样)不如使用setuid()安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.