ansaurus

Question

Unix suid bit problem

Answer 1

+1 A:

Try running chmod as the root user.

I've been bit by this in the past:(

chollida 2010-01-04 23:52:02

Yes, I am running the chmod as root.

Infinity 2010-01-04 23:52:46

Answer 2

+2 A:

Well, you don't say what 'filename' is. You can only suid on an executable. Particularly you can't set it on a shell script - it has to be a real machine code executable. And in modern UNIXes, like some horrible Linux distros, you might not be able to set it at all without jumping through more hoops than you might like.

anon 2010-01-04 23:53:29

So, first of all, my Unix distribution is a Mac OS X 10.5.8. And my filename is a.out, since I have compiled it from ic.c with the command:gcc ic.c

Infinity 2010-01-04 23:55:11

Sorry Mac OS != UNIX in my book. Any help I could give you ends here.

anon 2010-01-04 23:57:20

Sorry... I read somewhere that mac os x is built on unix.

Infinity 2010-01-04 23:59:29

@Infinity Just realised that sounded a bit rude - not intentional, it's just that Mac OS is a long, long way away from UNIX, and I know zip about it.

anon 2010-01-05 00:04:33

But most of the unix commands work in Mac OS X, that's why I thought that is true that Mac OS X is built on Unix.

Infinity 2010-01-05 00:07:36

@Infinity Most of the UNIX commands work just fine on Windows too - they are just simple programs that you are I could write. But interacting with the authentication and permission systems, which is what setting the suid bit has to do, will typically involve stuff particular to your specific OS. And like I said, I know nothing about Mac OS.

anon 2010-01-05 00:12:58

Mac OS is basically FreeBSD at this level... and it actually IS a real Unix, unlike Linux. But yes, it is pretty unusual in some ways, especially the linker. In any case, it's very faithfully POSIX so far as basic security semantics is concerned.

Andrew McGregor 2010-01-05 00:51:14

As someone who just had to use the terminal window to `ps` for a stalled process (Yahoo Messenger) and use the `kill` command on it ... I can confirm that MacOS X is UNIX. It puts some stuff in some pretty odd places in the filesystem. But it's UNIX nonetheless.

Jim Dennis 2010-01-05 01:28:04

Mac OS is not UNIX and is a totally different OS. Mac OS X, on the other hand, is UNIX.

el.pescado 2010-01-05 10:02:16

Answer 3

A:

It's not clear from your question exactly what "filename" is referring to -- the executable, or the directory you want to create files in? To do what you want, you need to use the chmod +s command on the executable, so it will run with root privileges. chmod +s on the target directory won't do anything to open up the file creation privileges to non-root users.

The whole concept strikes me as a bit of a security risk, though -- wouldn't it be better for root to create a directory somewhere just for this application, then chmod it 775 or 777 to grant write permission to "group" or "world" respectively?

Edit: I see that you're indeed trying to chmod the executable, and that you're running the chmod command as root. But does root own the executable? You might need a "chown" command (as root) in addition to the chmod +s command, to ensure that it runs setuid root instead of setuid whoever-built-the-executable.

Jim Lewis 2010-01-05 00:01:11

So I have set the +s bit on my executable file. Also used the setuid(0) command in the source code. And is working as I want. Btw I am trying to reproduce a security hole, because I need to present it to somebody. Thanks again!

Infinity 2010-01-05 00:05:59

Yes, the root user owns the executable.

Infinity 2010-01-05 00:06:41

Answer 4

+3 A:

I think you also will need to setuid(0); in your program to become root. Only setting the s-bit is not sufficient.

I agree with all others, that doing all these things is very risky...

Edit

Jonathan Leffler is right in the comments. setuid(0); should probably not be necessary in this case. The necessary steps for ie creating a file under /etc

create_file_under_etc.c

#include <stdio.h>
int main() {
  FILE *fp = fopen("/etc/so-su-test.txt", "wt");
  if (fp) {
    fprintf(fp, "I'll be back\n");
    fclose(fp);
    printf("File created.\n");
  } else {
    printf("File not created.\n");
  }
  return 0;
}

...and to test and compile

cc create_file_under_etc.c
sudo chmod +s a.out
sudo chown root:staff a.out
./a.out

...you better clean up also

sudo rm a.out
sudo rm /etc/so-su-test.txt

epatel 2010-01-05 00:01:18

Thanks a lot. It really works with setuid(0); :)

Infinity 2010-01-05 00:03:29

Yes, it is risky, I know this, but I want this, because I need to present this security hole for somebody.

Infinity 2010-01-05 00:08:39

Using setuid(0) is sometimes necessary - but probably not in this case. The key thing is setting the SUID bit on the executable. The setuid(0); call sets both the real and effective (and saved) UID to 0, root. There's not much trace of the user that started the process left. It is dangerous to do that.

Jonathan Leffler 2010-01-05 01:36:15

Answer 5

A:

You used the command

chmod +s filename

The syntax you used to issue that command is incorrect. The correct syntax would be

chmod [ugoa]+s filename

where you can use any combination of the letters u, g, o, and a.

Unix, as you already know, stores information about permissions for each folder/file. There are permissions for read, write, execute, sticky, and more attached to each file. For a single file, there is a different set of permissions for the owner, group, and everyone else. So, while the owner of a file may be able to read, write, and execute a file, all other users in the owner's group might be able to only read that file, and everyone else might not be able to access that file at all.

When issuing the chmod command, you need to specify which set of users you are changing the permissions for. Do this by using a combination of the letters u, g, o, and a. 'u' changes permissions for the owner of the file, 'g' for all users in the owner's group, 'o' for all other users outside the owner's group, and 'a' for all three sets of users.

Examples:

chmod ga-r confidential.txt will make it so that only the owner of the file will be able to read 'confidential.txt'. All other users, including users in the owners group, will not be able to read 'confidential.txt'

chmod ga-rwx really_confidential.txt will make it so that anyone, other than the owner of that file, will not be able to read, write, or execute 'really_confidential.txt'. Put another way, you are removing the ability to read, write, or execute 'really_confidential.txt' from all users except owner.

chmod u+s filename adds the sticky bit to 'filename', only for the owner of that file.

EDIT: Oh yeah, and since the file is owned by root, make sure to preface the command you issue with a 'sudo'. But it looks like you already know that.

Ichimonji10 2010-01-05 01:02:59

Actually, the `[ugoa]` (aka who) part is optional for chmod. Not given will set/reset all possible bits for the +/- permission.

epatel 2010-01-05 01:09:34

Well. Shows how much I know.Thanks.

Ichimonji10 2010-01-05 01:37:04

I am not at home at the moment, but when I get home I'll try it. It is interesting what did you write.

Infinity 2010-01-05 07:54:01

Hah, thanks. Hope it works for you.

Ichimonji10 2010-01-05 15:51:23

ansaurus

tags:

views:

answers:

Unix suid bit problem

create_file_under_etc.c

related questions