用 C 语言设置 SUID 是不够的

Question

For pedagogical purposes, I want to set up a basic command injection in C. I have the following code:

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {
    char cat[] = "cat ";
    char *command;
    size_t commandLength;

    commandLength = strlen(cat) + strlen(argv[1]) + 1;
    command = (char *) malloc(commandLength);

    strncpy(command, cat, commandLength);
    strncat(command, argv[1], (commandLength - strlen(cat)) );

    system(command);
    return (0);
}

I compile it, set the binary as owned by root and set the SUID to 1, as follows:

gcc injectionos.c -o injectionos
sudo chown root:root injectionos
sudo chmod +s injectionos

I obtain the following result:

ls -la
total 40
drwxr-xr-x 2 olive olive  4096 Jan  6 13:17 .
drwxr-xr-x 3 olive olive  4096 Jan  6 12:15 ..
-rwsr-sr-x 1 root  root  16824 Jan  6 13:17 injectionos
-rw-r--r-- 1 olive olive   415 Jan  6 13:17 injectionos.c
-rwx------ 1 root  root      9 Jan  6 12:43 titi.txt
-rw-r--r-- 1 olive olive     9 Jan  6 12:16 toto.txt`

So, basically, with the SUID set to 1, i should be able to open both toto.txt and titi.txt files by performing the following injection:

./injectionos "toto.txt;cat titi.txt"

But executing this command, I got a permission denied when accessing titi.txt . Finally, when I add a setuid(geteuid()); in my code, the injection is working and I can access to titi.txt file.

Given that injectionos is ran as root and titi.txt belong to root, I supposed that it was enough, but apparently no. What am I missing here?

Answer 1

The privileges are being dropped by /bin/sh executed as part of the system() call. See the man page for bash and the -p option

If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they appear in the environment, are ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.

Well, technically debian uses dash by default, but it does the same thing.

So the default behavior of the shell has been adjusted to mitigate this injection at least somewhat.