原创 2011年10月14日 11:41:26



实验操作我是参照了一位比较厉害的师兄,他的set_uid blog:。希望对大家有所帮助。


1.  Figure out why "passwd", "chsh", "su", and "sudo" commands need to be Set-UIDprograms. What will happen if they are not? If you are not familiar with these programs, you should first learn what they can do by reading their manuals. Please copy these commands to your owndirectory; the copies will not be Set-UID programs. Run the copied programs, and observe whathappens.


                                                   图 1

                                                       图 2

   由图1,图2所示:拷贝到/home/seed下的passwd程序,没有了root权限,这样就没有了修改密码的权限。同样chsh su等等同样的道理。

2.  Run Set-UID shell programs in Linux, and describe and explain your observations.

(a) Login as root, copy /bin/zsh to /tmp, and make it a set-root-uid program with permission4755. Then login as a normal user, and run /tmp/zsh. Will you get root privilege? Please describe your observation. If you cannot find /bin/zsh in your operating system, please use the following command to install it:_ Note: in our pre-built Ubuntu VM image, zsh is already installed.


Password: (enter root password)

 yum install zsh

 For Ubuntu

$ su

Password: (enter root password)

apt-get install zsh

                                          图 3


(b) Instead of copying /bin/zsh, this time, copy /bin/bash to /tmp, make it a set-root-uidprogram. Run /tmp/bash as a normal user. will you get root privilege? Please describe andexplain your observation.

                                             图 4


3. (Setup for the rest of the tasks) As you can find out from the previous task, /bin/bash has certainbuilt-in protection that prevent the abuse of the Set-UID mechanism. To see the life before such aprotection scheme was implemented, we are going to use a different shell program called /bin/zsh.In some Linux distributions (such as Fedora and Ubuntu), /bin/sh is actually a symbolic linkto /bin/bash. To use zsh, we need to link /bin/sh to /bin/zsh. The following instructionsdescribe how to change the default shell to zsh.

$ su

Password: (enter root password)

# cd /bin

# rm sh

# ln -s zsh sh

                                                    图 5

4. The PATH environment variable.The system(const char *cmd) library function can be used to execute a command withina program. The way system(cmd) works is to invoke the /bin/sh program, and then let theshell program to execute cmd. Because of the shell program invoked, calling system() within aSet-UID program is extremely dangerous. This is because the actual behavior of the shell programcan be affected by environment variables, such as PATH; these environment variables are under user’scontrol. By changing these variables, malicious users can control the behavior of the Set-UIDprogram.The Set-UID program below is supposed to execute the /bin/ls command; however, the programmeronly uses the relative path for the ls command, rather than the absolute path:

int main()



return 0;


(a) Can you let this Set-UID program (owned by root) run your code instead of /bin/ls? If you can, is your code running with the root privilege? Describe and explain your observations.

                                                图 6

int main()
return 0;
(b) Now, change /bin/sh so it points back to /bin/bash, and repeat the above attack. Can youstill get the root privilege? Describe and explain your observations.


5. The difference between system() and execve(). Before you work on this task,please make sure that /bin/sh is pointed to /bin/zsh.Background: Bob works for an auditing agency, and he needs to investigate a company for a suspectedfraud. For the investigation purpose, Bob needs to be able to read all the files in the company’sUnix system; on the other hand, to protect the integrity of the system, Bob should not be able tomodify any file. To achieve this goal, Vince, the superuser of the system, wrote a special set-root-uidprogram (see below), and then gave the executable permission to Bob. This program requires Bob totype a file name at the command line, and then it will run /bin/cat to display the specified file.Since the program is running as a root, it can display any file Bob specifies. However, since the programhas no write operations, Vince is very sure that Bob cannot use this special program to modify any file.

#include <string.h>

#include <stdio.h>

#include <stdlib.h>

int main(int argc, char *argv[])


char *v[3];

if(argc < 2) {

printf("Please type a file name.\n");

return 1;


v[0] = "/bin/cat"; v[1] = argv[1]; v[2] = 0;

/* Set q = 0 for Question a, and q = 1 for Question b */

int q = 0;

if (q == 0){

char *command = malloc(strlen(v[0]) + strlen(v[1]) + 2);

sprintf(command, "%s %s", v[0], v[1]);



else execve(v[0], v, 0);

return 0 ;


(a)    Set q = 0 in the program. This way, the program will use system() to invoke the command.Is this program safe? If you were Bob, can you compromise the integrity of the system? Fo rexample, can you remove any file that is not writable to you? (Hint: remember that system()actually invokes /bin/sh, and then runs the command within the shell environment. We havetried the environment variable in the previous task; here let us try a different attack. Please pay attention to the special characters used in a normal shell environment).


                                                  图 7

(b) Set q = 1 in the program. This way, the program will use execve() to invoke the command.Do your attacks in task (a) still work? Please describe and explain your observations.

不会有效,在(a)中之所以有效,是具有root权限的system在执行了cat file文件后,还会接着执行mv file file_new命令。而当令q=1, execve()函数会把file; mv file file_new 看成是一个文件名,系统会提示不存在这个文件。示意图如下:

                                             图 8

6. The LD PRELOAD environment variable.

To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environmentvariable, the runtime linker ( will ignore this environment variable if the program is aSet-UID root program, except for some conditions. We will figure out what these conditions are inthis task.

(a) Let us build a dynamic link library. Create the following program, and name it mylib.c. Itbasically overrides the sleep() function in libc:

#include <stdio.h>

void sleep (int s)


printf("I am not sleeping!\n");


(b) We can compile the above program using the following commands (in the -W1 argument, thethird character is one, not `; in the -lc argment, the second character is `):

% gcc -fPIC -g -c mylib.c

% gcc -shared -W1,-soname, \

-o mylib.o –lc

(c) Now, set the LD PRELOAD environment variable:% export LD_PRELOAD=./

(d) Finally, compile the following program myprog (put this program in the same directory as

/* myprog.c */

int main()



return 0;


Please run myprog under the following conditions, and observe what happens. Based on your observations,tell us when the runtime linker will ignore the LD PRELOAD environment variable, andexplain why.

_ Make myprog a regular program, and run it as a normal user.


                                                   图 9

_ Make myprog a Set-UID root program, and run it as a normal user.


                                                     图 10

_ Make myprog a Set-UID root program, and run it in the root account.


                                                图 11

                                               图 12

                                                    图 13

_ Make myprog a Set-UID user1 program (i.e., the owner is user1, which is another user account),and run it as a different user (not-root user).

7. Relinquishing privileges and cleanup.

To be more secure, Set-UID programs usually call setuid() system call to permanently relinquishtheir root privileges. However, sometimes, this is not enough. Compile the following program,and make the program a set-root-uid program. Run it in a normal user account, and describe what youhave observed. Will the file /etc/zzz be modified? Please explain your observation.

#include <stdio.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

void main()

{ int fd;

/* Assume that /etc/zzz is an important system file,

and it is owned by root with permission 0644 */

fd = open("/etc/zzz", O_RDWR | O_APPEND);

/* Simulate the tasks conducted by the program */


/* After the task, the root privileges are no longer needed,

it’s time to relinquish the root privileges permanently. */

setuid(getuid()); /* getuid() returns the real uid */

if (fork()) { /* In the parent process */

close (fd);


} else { /* in the child process */

/* Now, assume that the child process is compromised, malicious

attackers have injected the following statements

into this process */

write (fd, "Malicious Data", 14);

close (fd);



                                                图 14

                                                图 15

                                                图 16


雪城大学信息安全讲义 3.1 Set-UID 机制如何工作

三、Set-UID 特权程序 原文:Set-UID Programs and Vulnerabilities 译者:飞龙 这个讲义的主要目标就是来讨论特权程序,为什么需要他们,他们如何工...
  • wizardforcel
  • wizardforcel
  • 2017年04月18日 17:26
  • 590

set-uid 实验

csdn不能直接复制粘贴图片真的很麻烦啊啊啊啊。。。所以下面的没有图片。。 具体的操作流程可以看这个...
  • m0_37706052
  • m0_37706052
  • 2017年03月17日 09:18
  • 145

set uid和set gid

  • rgaofeng
  • rgaofeng
  • 2007年08月09日 00:04
  • 1280


文详细出自,转载请注明出处。 实验室链接 一、实验描述 Set-UID 是Unix系统中的一个重要的安全机制。当一个Set...
  • yehenhei
  • yehenhei
  • 2016年10月15日 10:21
  • 823


SET-UID程序漏洞实验 实验简介 Set-UID 是Unix系统中的一个重要的安全机制。当一个Set-UID程序运行的时候,它被假设为具有拥有者的权限。例如,如果程序的拥有者是root,那...
  • qq_29687403
  • qq_29687403
  • 2015年07月09日 18:12
  • 631


概述: set_uid 只能作用于二进制可执行文件,对普通文本文件无效 普通用户执行拥有该权限的二进制文件时,可以使普通用户临时拥有root权限(例如:更改密码的命令 /usr/bin/passwd ...
  • flyingfishzxf
  • flyingfishzxf
  • 2016年02月27日 17:30
  • 328


在Linux系统中每个普通用户都可以更改自己的密码,这是合理的设置。 问题是:用户的信息保存在文件/etc/passwd中,用户的密码保存在文件/etc/shadow中,也就是说用户更改自己密码时是...
  • Oo__YAN
  • Oo__YAN
  • 2011年12月16日 11:44
  • 15479


Linux系统中SetUID浅谈 1、什么是SetUID      我们知道,在linux的命令行下执行“ps -aux”命令时,就会列出当前系统中的所有进程,在其中可...
  • frank_jb
  • frank_jb
  • 2014年10月17日 21:37
  • 1986


写这个blog主要是对自己学习的内容进行一个总结和记录,希望对学习这些知识的同道之人有所帮助,第一次写博文,经验有所不足,我会慢慢练习。 实验操作我是参照了一位比较厉害的师兄,他的set_uid bl...
  • wdzxl198
  • wdzxl198
  • 2011年10月14日 11:41
  • 6311

Set uid, gid,sticky bit的三个权限的详细说明

Set uid, gid,sticky bit的三个权限的详细说明 一个文件都有一个所有者, 表示该文件是谁创建的. 同时, 该文件还有一个组编号, 表示该文件所属的组, 一般为文件所有者所属的组....
  • renwotao2009
  • renwotao2009
  • 2014年10月26日 15:19
  • 559