stackoom
  简体   繁体   中英

Can't drop privileges with suid binary?

 原文  2018-11-06 20:43:03       linux/ suid

Question

I was wondering if there is a way to drop privileges using a suid binary (using Ubuntu 18.04). Look: 

# cp /bin/bash .
# chown www-data bash
# chmod 4700 bash
# ls -lh
-rws------ 1 www-data root 1,1M abr  4  2018 bash
# ./bash
# id
uid=0(root) gid=0(root) groups=0(root)

Is there an explanation of why one can gain privileges but not drop them with suid binaries?

You may be wondering what I'm trying to accomplish, but it's only to learn.

Thanks!

2 answers

solution1
 1 ACCPTED  2018-11-06 21:03:24

This works in the general case: 

# cp /usr/bin/id .
# chown www-data id
# chmod 4700 id
# ./id
uid=0(root) gid=0(root) euid=33(www-data) groups=0(root)

bash is a special case. From the "INVOCATION" section of bash manual, with added emphasis on the relevant portion:

If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS , BASHOPTS , CDPATH , and GLOBIGNORE variables, if they appear in the environment, are ignored, and the effective user id is set to the real user id . If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.

Passing the -p (privileged) flag will indeed suppress this behavior: 

# cp /bin/bash .
# chown www-data bash
# chmod 4700 bash
# ./bash -p
bash-4.4$ id
uid=0(root) gid=0(root) euid=33(www-data) groups=0(root)

solution2
 0  2018-11-06 21:05:42

As far as set-uid is concerned, there's no hierarchy of privileges -- it simply changes the effective userid to that of the program's owner. Root isn't treated any differently from any other user.

What you're seeing is a deliberate action by bash . There are many security implications to running shell scripts setuid, and bash doesn't allow it by default. When bash starts up, it checks whether the effective UID is the same as the real UID. If not, it means that it's running set-uid. Unless it's being run in one of the ways where this is allowed, it calls a function like setuid() to change back to the real UID.

That's what happened here. root ran bash , and the OS changed the effective UID to www-data . bash detected this and changed back to root .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question suid binary privilege escalation How to set the SUID bit to grant root privileges? How can I drop privileges in Perl? SUID doesn't work in Bash [Linux Difference between SUID and cap_setuid of binary] How to escalate privilege through base64 binary when it is SUID Can dmidecode command be invoked successfully by SUID program in Linux? If a process started from a setuid binary forks, and the child drops privileges, can the child still be trusted? Building electron linux distro : The SUID sandbox helper binary was found, but is not configured correctly How to drop root privileges on linux in C?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM