当前位置:我的异常网» C语言 » setuid的有关问题
setuid的有关问题
www.myexceptions.net 网友分享于:2013-09-19 浏览:9次
setuid的问题
大神们,小弟有事跪求
以下一段代码据说可以使得A用户能以B用户的身份去执行一些操作,但是如何去做啊???
#include
#include
#include
#include
#include
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
小弟在此跪谢各位大神啦~~
------解决方案--------------------
NAME
setresuid, setresgid - set real, effective and saved user or group ID
SYNOPSIS
#define _GNU_SOURCE
#include
int setresuid(uid_t ruid, uid_t euid, uid_t suid);
int setresgid(gid_t rgid, gid_t egid, gid_t sgid);
DESCRIPTION
setresuid sets the real user ID, the effective user ID, and the saved (effective)
user ID of the current process.
Unprivileged user processes (i.e., processes with each of real, effective and
saved user ID nonzero) may change the real, effective and saved user ID, each to
one of: the current uid, the current effective uid or the current saved uid.
The super-user may set real, effective and saved user ID to arbitrary values.
If one of the parameters equals -1, the corresponding value is not changed.
Completely analogously, setresgid sets the real, effective and saved group ID’s of
the current process, with the same restrictions for processes with each of real,
effective and saved user ID nonzero.
RETURN VALUE
On success, zero is returned. On error, -1 is returned, and errno is set appro-
priately.
ERRORS
EPERM The current process was not privileged (did not have the CAP_SETUID capa-
bility) and tried to change the IDs is a not allowed way.
EAGAIN uid does not match the current uid and this call would bring that userID
over its NPROC rlimit.
CONFORMING TO
This call is nonstandard.
HISTORY
This system call was first introduced in HP-UX. It is available under Linux since
Linux 2.1.44. These days it is also found in FreeBSD (for emulation of Linux
binaries).
NOTES
Under HP-UX and FreeBSD the prototype is found in . Under Linux the
prototype is given by glibc since version 2.3.2 provided _GNU_SOURCE is defined.
SEE ALSO
getuid(2), setuid(2), setreuid(2), getresuid(2)
------解决方案--------------------
程序启动后, 实际用户ID是启动者是谁, 有效用户ID一般是启动者, 如果程序有用户s权限就是程序的用户主, 还有一个保存设置用户ID,从命令行启动程序后是有效用户ID。
前两者一般人都懂,保存设置用户ID没几个人懂。
当一个程序setuid(uid)之后,如果当前有效用户ID是root,那么RUID,EUID,SAVED SET-USER-ID都被设置成uid。
而如果想再切回root是很难的,只有少数操作系统实现支持使用seteuid切回root。为什么不能切回root了?因为:
If the process does not have appropriate privileges, but uid is equal to the real user ID or the saved set-user-ID, setuid() shall set the effective user ID
to uid; the real user ID and saved set-user-ID shall remain unchanged.
只有uid等于当前的RUID/S-S-UID才可以,但seteuid可以帮你突破这个限制。
对于一个EUID不是root的用户,就很简单了:可以切成RUID或者S-S-UID。
比如A用户启动的程序,那么3个ID都是A, 于是A用户没有任何用户可以切。
但是,如果A用户启动的程序是设置过s权限的B用户的程序,那么A的RUID=A,EUID=B,S-S-UID=B。
此时如果想让程序降权,也就是让EUID从B变到A,那么setuid(getuid())即可变成RUID=A,EUID=A,S-S-UID=B。 降权后干了一些事后打算提权回B,因为S-S-UID=B,所以可以setuid(B的UID)提权回B,也就是RUID=A,EUID=B,S-S-UID=B,又变到了最初的样子。
文章评论
163
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
