Linux SUID提權(quán)失�。�

dxcheng

最近讀到《The Shellcoder's Handbook》一書的"Using an Exploit to Get Root Privileges"這一部分使用SUID獲取Root權(quán)限。但是我這邊試了一下卻還是沒有得到Root權(quán)限，請(qǐng)大神們指教，謝謝！

1. // shell.c
   
2. int main(){
   
3.         char *name[2];
   
4.         name[0] = “/bin/sh”;
   
5.         name[1] = 0x0;
   
6.         execve(name[0], name, 0x0);
   
7.         exit(0);
   
8. }

復(fù)制代碼

If we compile this code and run it, we can see that it will spawn a shell for us.
[jack@0day local]$ gcc shell.c -o shell
[jack@0day local]$ sudo chown root shell
[jack@0day local]$ sudo chmod +s shell
[jack@0day local]$ ./shell
sh-2.05b#

我這邊的結(jié)果還是普通用戶的權(quán)限：
$./shell
sh-4.1$

系統(tǒng)環(huán)境如下：
$uname -a
Linux centos_12 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux

yjh777

http://unix.stackexchange.com/qu ... e-no-effect-on-bash

If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they appear in the environment, are ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.

yjh777

1. cat shell.c
   
2. #include <stdio.h>
   
3. #include <stdlib.h>
   
4. #include <unistd.h>
   
5. #include <sys/types.h>
   
6. 
   
7. // shell.c
   
8. int main(){
   
9.         char *name[2];
   
10.         name[0] = "/usr/bin/id";
    
11.         name[1] = 0x0;
    
12.         printf("%d %d\n", getuid(), geteuid());
    
13.         execve(name[0], name, 0x0);
    
14.         exit(0);
    
15. }
    
16. $ ./shell
    
17. 1000 0
    
18. uid=1000(yjh) gid=1000(yjh) euid=0(root) groups=1000(yjh),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

復(fù)制代碼

看結(jié)果只是euid變了。

yjh777

more clear info:

First and foremost, setuid bit simply allows a script to set the uid. The script still needs to call setuid() or setreuid() to run in the the real uid or effective uid respectively. Without calling setuid() or setreuid(), the script will still run as the user who invoked the script.

dxcheng

回復(fù) 4# yjh777


You are right, thanks a lot.

Seems to be due to the security reason, the system and exec drop this privileges.
I add a invoking setuid(0) before the execve, and then I get the expected result.