可执行文件上的setuid似乎不起作用 [英] setuid on an executable doesn't seem to work

问题描述

我编写了一个名为killSPR的小型C实用程序，以杀死我的RHEL盒上的以下进程.这个想法是让任何登录到此linux系统的人都能够使用此实用程序杀死以下提到的进程(不起作用-下文解释).

I wrote a small C utility called killSPR to kill the following processes on my RHEL box. The idea is for anyone who logs into this linux box to be able to use this utility to kill the below mentioned processes (which doesn't work - explained below).

cadmn@rhel /tmp > ps -eaf | grep -v grep | grep " SPR "  
cadmn    5822  5821 99 17:19 ?        00:33:13 SPR 4 cadmn  
cadmn   10466 10465 99 17:25 ?        00:26:34 SPR 4 cadmn  
cadmn   13431 13430 99 17:32 ?        00:19:55 SPR 4 cadmn  
cadmn   17320 17319 99 17:39 ?        00:13:04 SPR 4 cadmn  
cadmn   20589 20588 99 16:50 ?        01:01:30 SPR 4 cadmn  
cadmn   22084 22083 99 17:45 ?        00:06:34 SPR 4 cadmn  
cadmn@rhel /tmp >  

该实用程序由用户cadmn拥有(在这些程序下运行)，并在其上设置了setuid标志(如下所示).

This utility is owned by the user cadmn (under which these processes run) and has the setuid flag set on it (shown below).

cadmn@rhel /tmp > ls -l killSPR  
-rwsr-xr-x 1 cadmn cusers 9925 Dec 17 17:51 killSPR  
cadmn@rhel /tmp > 

C代码如下:

/*  
 * Program Name: killSPR.c  
 * Description: A simple program that kills all SPR processes that  
 * run as user cadmn  
 */  
#include <stdio.h>  
int main()  
{  
    char *input;  
    printf("Before you proceed, find out under which ID I'm running. Hit enter when you are done...");  
    fgets(input, 2, stdin);  

    const char *killCmd = "kill -9 $(ps -eaf | grep -v grep | grep \" SPR \" | awk '{print $2}')";  
    system(killCmd);  
    return 0;  
} 

不同于cadmn的用户(pmn)试图使用该实用程序杀死上述进程，但失败(如下所示):

A user (pmn) different from cadmn tries to kill the above-mentioned processes with this utility and fails (shown below):

pmn@rhel /tmp > ./killSPR  
Before you proceed, find out under which ID I'm running. Hit enter when you are done...  
sh: line 0: kill: (5822) - Operation not permitted  
sh: line 0: kill: (10466) - Operation not permitted  
sh: line 0: kill: (13431) - Operation not permitted  
sh: line 0: kill: (17320) - Operation not permitted  
sh: line 0: kill: (20589) - Operation not permitted  
sh: line 0: kill: (22084) - Operation not permitted  
pmn@rhel /tmp >  

尽管用户等待按下上方的Enter键，但检查进程killSPR并被视为以用户cadmn的身份运行(如下所示)，尽管killSPR无法终止该进程.

While the user waits to hit enter above, the process killSPR is inspected and is seen to be running as the user cadmn (shown below) despite which killSPR is unable to terminate the processes.

cadmn@rhel /tmp > ps -eaf | grep -v grep | grep killSPR  
cadmn   24851 22918  0 17:51 pts/36   00:00:00 ./killSPR  
cadmn@rhel /tmp >

顺便说一句，所有主分区上都没有任何nosuid

BTW, none of the main partitions have any nosuid on them

pmn@rhel /tmp > mount | grep nosuid
pmn@rhel /tmp >

可执行文件上的setuid标志似乎没有达到预期的效果.我在这里想念什么?我是否误解了setuid的工作原理?

The setuid flag on the executable doesn't seem to have the desired effect. What am I missing here? Have I misunderstood how setuid works?

推荐答案

首先，setuid bit仅允许脚本设置uid.该脚本仍然需要调用setuid()或setreuid()分别在real uid或effective uid中运行.无需调用setuid()或setreuid()，该脚本仍将以调用该脚本的用户身份运行.

First and foremost, setuid bit simply allows a script to set the uid. The script still needs to call setuid() or setreuid() to run in the the real uid or effective uid respectively. Without calling setuid() or setreuid(), the script will still run as the user who invoked the script.

避免system和exec出于安全原因而放弃特权.您可以使用kill()终止进程.

Avoid system and exec as they drop privileges for security reason. You can use kill() to kill the processes.

检查这些.

http://linux.die.net/man/2/setuid

http://man7.org/linux/man-pages/man2/setreuid.2.html

http://man7.org/linux/man-pages/man2/kill.2.html

这篇关于可执行文件上的setuid似乎不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！