RealUID,已保存的UID,有效的UID.这是怎么回事? [英] RealUID, Saved UID, Effective UID. What's going on?
问题描述
这是一个set-root-uid程序
This is a set-root-uid program
$ls -l
-rwsr-sr-x 1 root root 7406 2011-12-13 22:37 ./x*
源代码:
int main(void) {
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
seteuid(600);
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
setuid(1000);
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
setuid(0); // HOW DOES THIS SUCCEED IN SETTING THE EUID BACK TO 0
printf(
" UID GID \n"
"Real %d Real %d \n"
"Effective %d Effective %d \n",
getuid (), getgid (),
geteuid(), getegid()
);
return 0 ;
}
输出
UID GID
Real 1000 Real 1000
Effective 0 Effective 0
UID GID
Real 1000 Real 1000
Effective 600 Effective 0
UID GID
Real 1000 Real 1000
Effective 1000 Effective 1000
UID GID
Real 1000 Real 1000
Effective 0 Effective 1000
我的问题
手册页指出setuid将更改实际,保存和有效的uid.
因此,在调用setuid(1000)之后,所有三个都更改为1000.
setuid(0)怎么让我将euid更改为0?
My question
The man page states that setuid will change the real,saved and effective uid.
So after the calling setuid(1000), all three change to 1000.
How is that setuid(0) let's me change euid to 0?
推荐答案
有两种情况,
- 您要在执行setuid程序时暂时放弃root特权
- 您要在执行setuid程序时永久放弃root特权...
- 您可以通过将euid设置为实际用户ID然后将uid更改为所需的任何内容来临时执行此操作.稍后,当您需要root特权返回时,可以将setuid设置为root,而有效的userid将更改回root .这是因为保存的用户ID未更改.
- 您可以通过立即将uid更改为特权较低的用户ID来永久放弃特权.此后,无论如何您都无法获取root特权.
情况1:
setuid程序开始执行后
1.seteuid(600);
2.setuid(1000);
3.setuid(0);
在这种情况下,可以再次获得root特权.
For this case the root privilege can be gained back again.
+----+------+------------+
| uid|euid |saved-uid |
|----|------|------------|
1.|1000| 0 | 0 |
2.|1000| 600 | 0 |
3.|1000| 1000 | 0 |
4.|1000| 0 | 0 |
| | | |
+------------------------+
情况2:
setuid程序开始执行后,
1.setuid(1000);
2.setuid(0);
+----+------+------------+
| uid|euid |saved-uid |
|----|------|------------|
1.|1000|0 | 0 |
2.|1000|1000 | 1000 |
| | | |
+------------------------+
在这种情况下,您无法获取root特权. 可以通过以下命令进行验证,
In this case you cannot get back the root privilege. This can be verified by the following command,
cat/proc/PROCID/task/PROCID/status |少
cat /proc/PROCID/task/PROCID/status | less
Uid: 1000 0 0 0
Gid: 1000 0 0 0
此命令将显示一个Uid和Gid,它将具有4个字段(前三个字段是我们关注的字段).像上面的东西
This command will display a Uid and Gid and it will have 4 fields( the first three fields are the one we are concerned with). Something like the above
这三个字段分别表示uid,euid和saveed-user-id.您可以在setuid程序中引入一个暂停(来自用户的输入),并检查cat /proc/PROCID/task/PROCID/status | less命令的每个步骤.在每个步骤中,您都可以检查保存的uid是否如前所述进行更改.
The three fields represent uid,euid and saved-user-id. You can introduce a pause (an input from user) in your setuid program and check for each step the cat /proc/PROCID/task/PROCID/status | less command. During each step you can check the saved uid getting changed as mentioned.
如果您的euid是root用户并且更改了uid,则特权将被永久删除.如果有效的用户ID不是root用户,则保存的用户ID将永远不会被触及,您可以重新获得root特权您随时可以在程序中使用.
这篇关于RealUID,已保存的UID,有效的UID.这是怎么回事?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
