[solved] Setuid why it doesn't work

mkkot · 2016-11-26 15:18:12

Hello,

I'm following some old exercises on site http://www.doc.ic.ac.uk/~wjk/UnixIntro/Exercise3.html

One of exercises tells me to:

Team up with a partner. Copy /bin/sh to your home directory. Type "chmod +s sh". Check the permissions on sh in the directory listing. Now ask your partner to change into your home directory and run the program ./sh. Ask them to run the id command. What's happened? Your partner can type exit to return to their shell.

So here's sh copied to /tmp/cwiczenia:

[mk@linux cwiczenia]$ chmod +x+s sh

[mk@linux cwiczenia]$ ls -l
razem 772
-r--r--r-- 1 mk users      0 11-26 15:34 plik
-rwsr-sr-x 1 mk users 787312 11-26 15:43 sh

And now I log in as other user:

[mk@linux ~]$ su kinia -
[kinia@linux mk]$ /tmp/cwiczenia/sh
sh-4.3$ whoami 
kinia

What I'm doing wrong? Is Archlinux having some other security policy which disables me to do the trick? I expect that sh will show that whoami i s mk (my user name).

Wikipedia says:

setuid and setgid (short for "set user ID upon execution" and "set group ID upon execution", respectively)[1] are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively and to change behaviour in directories.

But also I don't have privileges of user mk while being logged in into that /tmp/sh:

sh-4.3$ ls -l
total 772
-r--r--r-- 1 mk users      0 Nov 26 15:34 plik
-rwsr-sr-x 1 mk users 787312 Nov 26 15:43 sh
sh-4.3$ chmod 644 plik
chmod: changing permissions of 'plik': Operation not permitted

What I'm doing wrong?

Last edited by mkkot (2016-11-27 11:24:08)

ayekat · 2016-11-26 15:55:16

Unless you changed it from the default, on Arch Linux /bin/sh is actually a symbolic link to /bin/bash. When you copied it to /tmp/cwiczenia, you actually copied /bin/bash (you may notice the version string in the prompt matching the version of bash).

And it turns out that bash seems to drop all UIDs/GIDs other than the real ones, and your experiment fails.

If you had done the whole thing with a POSIX-compatible shell (e.g. dash), you would see something like this:

$ id
uid=1001(kinia) gid=1001(kinia) euid=1000(mk) egid=1000(mk) groups=1000(mk),...
$ whois
mk

Last edited by ayekat (2016-11-26 15:57:46)

mkkot · 2016-11-27 11:25:24

Ok, that explains a lot! Thank you. I thought that there must be some non-standard security enhancement which doesn't allow me to do what I want and I was right about it.

Arch Linux

#1 2016-11-26 15:18:12

[solved] Setuid why it doesn't work

#2 2016-11-26 15:55:16

Re: [solved] Setuid why it doesn't work

#3 2016-11-27 11:25:24

Re: [solved] Setuid why it doesn't work

Board footer