RealUID,已保存的UID,有效的UID.这是怎么回事? [英] RealUID, Saved UID, Effective UID. What's going on?
问题描述
这是一个set-root-uid程序
This is a set-root-uid program
$ls -l
-rwsr-sr-x 1 root root 7406 2011-12-13 22:37 ./x*
源代码:
int main(void) {
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
seteuid(600);
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
setuid(1000);
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
setuid(0); // HOW DOES THIS SUCCEED IN SETTING THE EUID BACK TO 0
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
return 0 ;
}
输出
UID GID
Real 1000 Real 1000
Effective 0 Effective 0
UID GID
Real 1000 Real 1000
Effective 600 Effective 0
UID GID
Real 1000 Real 1000
Effective 1000 Effective 1000
UID GID
Real 1000 Real 1000
Effective 0 Effective 1000
我的问题
手册页指出setuid将更改实际,保存和有效的uid.
因此,在调用setuid(1000)
之后,所有三个都更改为1000
.
setuid(0)
怎么让我将euid
更改为0
?
My question
The man page states that setuid will change the real,saved and effective uid.
So after the calling setuid(1000)
, all three change to 1000
.
How is that setuid(0)
let's me change euid
to 0
?
推荐答案
有两种情况,
- 您要在执行setuid程序时暂时放弃root特权
- 您要在执行setuid程序时永久放弃root特权...
- 您可以通过将euid设置为实际用户ID然后将uid更改为所需的任何内容来临时执行此操作.稍后,当您需要root特权返回时,可以将setuid设置为root,而有效的userid将更改回root .这是因为保存的用户ID未更改.
- 您可以通过立即将uid更改为特权较低的用户ID来永久放弃特权.此后,无论如何您都无法获取root特权.
情况1:
setuid程序开始执行后
1.seteuid(600);
2.setuid(1000);
3.setuid(0);
在这种情况下,可以再次获得root特权.
For this case the root privilege can be gained back again.
+----+------+------------+
| uid|euid |saved-uid |
|----|------|------------|
1.|1000| 0 | 0 |
2.|1000| 600 | 0 |
3.|1000| 1000 | 0 |
4.|1000| 0 | 0 |
| | | |
+------------------------+
情况2:
setuid程序开始执行后,
1.setuid(1000);
2.setuid(0);
+----+------+------------+
| uid|euid |saved-uid |
|----|------|------------|
1.|1000|0 | 0 |
2.|1000|1000 | 1000 |
| | | |
+------------------------+
在这种情况下,您无法获取root特权. 可以通过以下命令进行验证,
In this case you cannot get back the root privilege. This can be verified by the following command,
cat/proc/PROCID/task/PROCID/status |少
cat /proc/PROCID/task/PROCID/status | less
Uid: 1000 0 0 0
Gid: 1000 0 0 0
此命令将显示一个Uid和Gid,它将具有4个字段(前三个字段是我们关注的字段).像上面的东西
This command will display a Uid and Gid and it will have 4 fields( the first three fields are the one we are concerned with). Something like the above
这三个字段分别表示uid,euid和saveed-user-id.您可以在setuid程序中引入一个暂停(来自用户的输入),并检查cat /proc/PROCID/task/PROCID/status | less
命令的每个步骤.在每个步骤中,您都可以检查保存的uid是否如前所述进行更改.
The three fields represent uid,euid and saved-user-id. You can introduce a pause (an input from user) in your setuid program and check for each step the cat /proc/PROCID/task/PROCID/status | less
command. During each step you can check the saved uid getting changed as mentioned.
如果您的euid是root用户并且更改了uid,则特权将被永久删除.如果有效的用户ID不是root用户,则保存的用户ID将永远不会被触及,您可以重新获得root特权您随时可以在程序中使用.
这篇关于RealUID,已保存的UID,有效的UID.这是怎么回事?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!