Linux SUID提权失败？

dxcheng

最近读到《The Shellcoder's Handbook》一书的"Using an Exploit to Get Root Privileges"这一部分使用SUID获取Root权限。但是我这边试了一下却还是没有得到Root权限，请大神们指教，谢谢！

1. // shell.c
   
2. int main(){
   
3.         char *name[2];
   
4.         name[0] = “/bin/sh”;
   
5.         name[1] = 0x0;
   
6.         execve(name[0], name, 0x0);
   
7.         exit(0);
   
8. }

复制代码

If we compile this code and run it, we can see that it will spawn a shell for us.
[jack@0day local]$ gcc shell.c -o shell
[jack@0day local]$ sudo chown root shell
[jack@0day local]$ sudo chmod +s shell
[jack@0day local]$ ./shell
sh-2.05b#

我这边的结果还是普通用户的权限：
$./shell
sh-4.1$

系统环境如下：
$uname -a
Linux centos_12 2.6.32-279.el6.i686 #1 SMP Fri Jun 22 10:59:55 UTC 2012 i686 i686 i386 GNU/Linux

yjh777

http://unix.stackexchange.com/qu ... e-no-effect-on-bash

If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, no startup files are read, shell functions are not inherited from the environment, the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they appear in the environment, are ignored, and the effective user id is set to the real user id. If the -p option is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.

yjh777

1. cat shell.c
   
2. #include <stdio.h>
   
3. #include <stdlib.h>
   
4. #include <unistd.h>
   
5. #include <sys/types.h>
   
6. 
   
7. // shell.c
   
8. int main(){
   
9.         char *name[2];
   
10.         name[0] = "/usr/bin/id";
    
11.         name[1] = 0x0;
    
12.         printf("%d %d\n", getuid(), geteuid());
    
13.         execve(name[0], name, 0x0);
    
14.         exit(0);
    
15. }
    
16. $ ./shell
    
17. 1000 0
    
18. uid=1000(yjh) gid=1000(yjh) euid=0(root) groups=1000(yjh),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

复制代码

看结果只是euid变了。

yjh777

more clear info:

First and foremost, setuid bit simply allows a script to set the uid. The script still needs to call setuid() or setreuid() to run in the the real uid or effective uid respectively. Without calling setuid() or setreuid(), the script will still run as the user who invoked the script.

dxcheng

回复 4# yjh777


You are right, thanks a lot.

Seems to be due to the security reason, the system and exec drop this privileges.
I add a invoking setuid(0) before the execve, and then I get the expected result.