I'm using the following program, and I've suid-ed it (by running chown root XXX; chmod 4755 XXX as root), but the output is still ruid 1000, euid 1000, suid 1000, shouldn't effect uid be zero here?
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
int main()
{
uid_t ruid, euid, suid;
if (! getresuid (&ruid, &euid, &suid))
printf ("ruid %d, euid %d, suid %d\n", ruid, euid, suid);
else
perror ("getresuid");
return 0;
}
Output of ls -l:
-rwsr-xr-x 1 root root 9.7K May 1 11:36 test*
Please check the mount command output, your file system could be mounted with nosuid option.
From mount man page
nosuid: Do not allow set-user-identifier or set-group-identifier bits
to take effect.
Related
I wrote the following code expecting to spawn a /bin/sh from another user.
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
setresgid(getegid(), getegid(), getegid());
setresuid(geteuid(), geteuid(), geteuid());
execve("/bin/sh", argv, envp);
return 0;
}
I then changed the owner to match with my target user and changed permissions (too much, I know)
chown usertarget:globalgroup ./shell
chmod 777 ./shell
chmod +s ./shell
ls -lah shell
Everything is fine according to me. However, It keeps opening a shell as my current user, not the target one.
I already tried to hardcode the userid of my target user and a few other things (setuid function, ...) but nothing seems to work...
Anyone has an idea or anything that could help me investigate this problem ?
EDIT #1
baseuser#machine:/tmp/tata$ ls -lah shell2
-rwsrwsrwx 1 targetuser globalgroup 7.2K Aug 18 18:21 shell2
baseuser#machine:/tmp/tata$ id
uid=1507(baseuser) gid=1314(globalgroup) groups=1314(globalgroup),100(users)
baseuser#machine:/tmp/tata$ ls -lah shell2
-rwsrwsrwx 1 targetuser globalgroup 7.2K Aug 18 18:21 shell2
baseuser#machine:/tmp/tata$ ./shell2
====== WELCOME USER ======
baseuser#machine:/tmp/tata$ id -a
uid=1507(baseuser) gid=1314(globalgroup) groups=1314(globalgroup),100(users)
baseuser#machine:/tmp/tata$
Well in facts, the parition was mounted with nosuid option. This can be checked through mount command
I have a program that gets its own UID, EUID, GID, EGID, and I want to get UID!=EUID and GID!=EGID.
I've tried changing the owner and group of the program file, but I'm always getting the same results.
Here is the c code:
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
char cad[128];
pid_t pid;
pid = getpid();
char s1[] = "ps -p ";
char s2[] = " -o cmd,pid,ppid,uid,euid,gid,egid,pri,stat";
char spid[42];
sprintf(spid, "%d", (int)pid);
char result[2048];
strcpy(result, s1);
strcat(result, spid);
strcat(result, s2);
sprintf(cad,"Program %s started.\n",argv[0]);
write(1,cad,strlen(cad));
system(result);
read(0,cad,1);
sprintf(cad,"Program %s ended.\n",argv[0]);
write(1,cad,strlen(cad));
exit(0);
}
The commands I've tried are:
$ sudo chown 2000 filename
$ sudo chgrp 2000 filename
$ sudo chmod u+r,g+x filename
And then executing the compiled program. Always getting:
Program ./pgm1_1_1 started.
CMD PID PPID UID EUID GID EGID PRI STAT
./pgm1_1_1 18216 17683 1000 1000 1000 1000 19 S+
You've not set the SUID and SGID bits in the permissions:
sudo chmod ug+s filename
Or, doing the permissions setting all in one, you can use either of these:
sudo chmod 6755 filename # Numeric permissions (octal)
sudo chmod a=rx,u+w,ug+s filename # Symbolic permissions
You should run ls -l filename after you've finished the permissions setting. With the SUID and SGID bits set, you should see something like:
-rwsr-sr-x 1 2000 2000 8712 May 8 00:18 filename
where the two s values are crucial in the permissions. You might have names where I get to see the UID and GID numbers.
I have a program write.c, which creates a new file. I compiled that through root user and set the sticky bit for setuid using chmod u+s write.
Now, if a user2 executes this program. A new file is created with the root as owner, why ? The owner of the file should be user2.
For that, I changed the uid using setuid() and seteuid() to user2. And then created the file. But this also creates the file with root as owner. I want to create the file as user2 as owner.
Post an mcve. What you describe works just fine on my system. This:
#!/bin/sh -e
cat > main.c <<EOF
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char** argv)
{
int fd;
uid_t ruid,euid,suid;
struct stat sb;
getresuid(&ruid,&euid,&suid);
printf("ruid=%ld euid=%ld suid=%ld\n", (long)ruid,(long)euid,(long)suid);
if(0>(fd = open(argv[1], O_CREAT|O_RDWR, 0660))){
perror(0);
exit(1);
}
fstat(fd,&sb);
printf("owner=%ld\n", (long)sb.st_uid);
close(fd);
seteuid(ruid);
getresuid(&ruid,&euid,&suid);
printf("ruid=%ld euid=%ld suid=%ld\n", (long)ruid,(long)euid,(long)suid);
if(0>(fd = open(argv[2], O_CREAT|O_RDWR, 0660))){
perror(0);
exit(1);
}
fstat(fd,&sb);
printf("owner=%ld\n", (long)sb.st_uid);
close(fd);
}
EOF
gcc main.c
sudo chown root a.out
sudo chmod u+s a.out
rm -f roots mine
./a.out roots mine
gets me:
ruid=1008 euid=0 suid=0
owner=0
ruid=1008 euid=1008 suid=0
owner=1008
i.e., the seteuid call succesfully resets my uid and the second file
is no longer owner by root.
I have the following code:
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
void main(int argc, char* argv[]) {
printf("uid=%u euid=%u\n", getuid(), geteuid());
printf("%d = setuid(euid)\n", setuid(geteuid()));
printf("uid=%u euid=%u\n", getuid(), geteuid());
}
Compiled and run this way:
val#particle:/tmp $ sudo gcc foo.c
val#particle:/tmp $ sudo chown dev-misc:dev-misc a.out
val#particle:/tmp $ sudo chmod u+s a.out
val#particle:/tmp $ ./a.out
uid=1000 euid=1006
0 = setuid(euid)
uid=1000 euid=1006
Why does the uid remain unchanged? And why does setuid report success? (according to the man page, 0 means success)
setuid() sets the effective user ID, not the real process ID. From the manual:
setuid() sets the effective user ID of the calling process. If the
effective UID of the caller is root (more precisely: if the caller
has the CAP_SETUID capability), the real UID and saved set-user-ID
are also set.
To be able to change real user ID, the process must have effective user ID set to 0. Since, it's not the case in your example, it doesn't change. setuid() succeeds because you are just setting it to the same effective user ID the process already has.
This sample suid program
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
void main() {
int ret;
printf("uid=%d, euid=%d\n", getuid(), geteuid());
ret = setuid(1000);
printf("uid=%d, euid=%d\n", getuid(), geteuid());
}
has 'noemi' (id=1001) as owner:
sarah-$ logname
sarah
sarah-$ ls -l p.bin
-rwsr-xr-x 1 noemi noemi 7028 17 dic 10.30 p.bin
If started from user 'sarah' (id=1000) euid changes to 1000
Why? p.bin changes only uid (this should have no effect, since uid was 1000 when p.bin was started by 'sarah'):
sarah-$ ./p.bin
uid=1000, euid=1001
uid=1000, euid=1000
sarah-$
I am using Debian 6 64 bit.
Please help me understand.
Thank you
Check man 2 setuid:
setuid() sets the effective user ID of the calling process. If the effective UID of the caller
is root, the real UID and saved set-user-ID are also set.
So, as you already have observed, when you are executing setuid() as regular user it will only change the effective user id.