这是一个 set-root-uid 程序
$ls -l
-rwsr-sr-x 1 root root 7406 2011-12-13 22:37 ./x*
int main(void) {
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
seteuid(600);
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
setuid(1000);
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
setuid(0); // HOW DOES THIS SUCCEED IN SETTING THE EUID BACK TO 0
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
return 0 ;
}
UID GID
Real 1000 Real 1000
Effective 0 Effective 0
UID GID
Real 1000 Real 1000
Effective 600 Effective 0
UID GID
Real 1000 Real 1000
Effective 1000 Effective 1000
UID GID
Real 1000 Real 1000
Effective 0 Effective 1000
手册页指出 setuid 将更改真实的、保存的和有效的 uid。
所以在调用 setuid(1000)
之后,这三个都变成了 1000
。
setuid(0)
让我把 euid
改成 0
怎么样?
最佳答案
有两种情况,
- You want to temporarily drop root privilege while executing setuid program
- You want to permanently drop root privilege while executing setuid program...
案例一:
setuid 程序开始执行后
1.seteuid(600);
2.setuid(1000);
3.setuid(0);
在这种情况下,可以再次获得 root 权限。
+----+------+------------+
| uid|euid |saved-uid |
|----|------|------------|
1.|1000| 0 | 0 |
2.|1000| 600 | 0 |
3.|1000| 1000 | 0 |
4.|1000| 0 | 0 |
| | | |
+------------------------+
案例2:
setuid程序开始执行后,
1.setuid(1000);
2.setuid(0);
+----+------+------------+
| uid|euid |saved-uid |
|----|------|------------|
1.|1000|0 | 0 |
2.|1000|1000 | 1000 |
| | | |
+------------------------+
在这种情况下,您无法取回 root 权限。 这可以通过以下命令验证,
cat/proc/PROCID/task/PROCID/status |少
Uid: 1000 0 0 0
Gid: 1000 0 0 0
这个命令将显示一个 Uid 和 Gid,它有 4 个字段(前三个字段是我们关心的)。类似上面的东西
三个字段分别代表uid、euid和saved-user-id。您可以在 setuid 程序中引入暂停(来自用户的输入)并检查 cat/proc/PROCID/task/PROCID/status | 的每个步骤。少
命令。在每个步骤中,您都可以检查保存的 uid 是否发生了上述变化。
如果您是 euid 是 root 并且您更改了 uid,则权限将永久删除。如果有效用户 id 不是 root,则保存的用户 id 永远不会被触及,您可以重新获得 root 权限任何时候你想在你的程序。
https://stackoverflow.com/questions/8499296/