Active Topics

 


Reply
Thread Tools
Posts: 93 | Thanked: 283 times | Joined on Jul 2016
#1
Take the simplest program which executes command as root:
Code:
/dev/shm/suid # cat setuid.c 
#include <stdio.h>
#include <stdlib.h>
main(int argc, char *argv[]) {
  setuid(0);
  system(argv[1]);
}
Compile it and set setuid bit:
Code:
/dev/shm/suid # gcc setuid.c -o /usr/bin/setuid
/dev/shm/suid # chown root:root /usr/bin/setuid 
/dev/shm/suid # chmod 4755 /usr/bin/setuid 
/dev/shm/suid # ls -l /usr/bin|grep rws
-rwsr-xr-x    1 root     root          5480 Mar 27 19:51 setuid
-rwsr-xr-x    2 root     root         94144 Mar 12  2012 sudo
-rwsr-xr-x    2 root     root         94144 Mar 12  2012 sudoedit
See that it does not work:
Code:
/dev/shm/suid # whoami
root
/dev/shm/suid # setuid whoami
root
/dev/shm/suid # su user

BusyBox v1.20.0.git (MeeGo 3:1.20-0.2+0m8) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ $ whoami
user
~ $ setuid whoami
user
There is no "nosuid" option for /usr/bin mount point and "sudo" suid binary works:
Code:
~ $ mount|grep nosuid | grep usr
~ $ sudo whoami
Password:
root
What am I doing wrong? How to create a suid binary?
 

The Following User Says Thank You to meego_leenooks1 For This Useful Post:
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#2
You need to give right capas to the binary, for example with refhashlist or putting binary inside installable deb package with the capas.
__________________
IRC: jonni@freenode
Sailfish: ¤ Qt5 SailfishTouchExample ¤ Qt5 MultiPointTouchArea Example ¤ ipaddress ¤ stoken ¤ Sailbox (Dropbox client) ¤
Harmattan: ¤ Presence VNC for Harmattan ¤ Live-F1 ¤ BTinput-terminal ¤ BabyLock ¤ BabyLock Trial ¤ QML TextTV ¤
Disclaimer: all my posts in this forum are personal trolling and I never post in any official capacity on behalf of any company.
 

The Following 2 Users Say Thank You to rainisto For This Useful Post:
Posts: 93 | Thanked: 283 times | Joined on Jul 2016
#3
Please give the link to manual about refhashlist or how to build deb package with setuid capability.
 

The Following User Says Thank You to meego_leenooks1 For This Useful Post:
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#4
Originally Posted by meego_leenooks1 View Post
Please give the link to manual about refhashlist or how to build deb package with setuid capability.
Here is small example of diff how to turn develsh to opensh
http://maemo.cloud-7.de/HARM/N9/open...h/develsh.diff

main() basicly just calls setuid and setgid before opening shell. You only need the right .aegis file to gain the capas.

With opensh you can test your selfbuild binary with:
opensh -c 'aegis-exec -c -a CAP::setuid /usr/bin/setuid'

For refhashlist you just use google
__________________
IRC: jonni@freenode
Sailfish: ¤ Qt5 SailfishTouchExample ¤ Qt5 MultiPointTouchArea Example ¤ ipaddress ¤ stoken ¤ Sailbox (Dropbox client) ¤
Harmattan: ¤ Presence VNC for Harmattan ¤ Live-F1 ¤ BTinput-terminal ¤ BabyLock ¤ BabyLock Trial ¤ QML TextTV ¤
Disclaimer: all my posts in this forum are personal trolling and I never post in any official capacity on behalf of any company.
 

The Following 3 Users Say Thank You to rainisto For This Useful Post:
Posts: 1,293 | Thanked: 4,319 times | Joined on Oct 2014
#5
Excellent example on the Power of aegis (I hate it lol)
 

The Following User Says Thank You to nieldk For This Useful Post:
Posts: 1,067 | Thanked: 2,383 times | Joined on Jan 2012 @ Finland
#6
For longer manual http://mirror.thecust.net/meego_1.2_..._security.html
__________________
IRC: jonni@freenode
Sailfish: ¤ Qt5 SailfishTouchExample ¤ Qt5 MultiPointTouchArea Example ¤ ipaddress ¤ stoken ¤ Sailbox (Dropbox client) ¤
Harmattan: ¤ Presence VNC for Harmattan ¤ Live-F1 ¤ BTinput-terminal ¤ BabyLock ¤ BabyLock Trial ¤ QML TextTV ¤
Disclaimer: all my posts in this forum are personal trolling and I never post in any official capacity on behalf of any company.
 

The Following User Says Thank You to rainisto For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 17:55.