69,380
社区成员
发帖
与我相关
我的任务
分享setuid的问题
大神们,小弟有事跪求
以下一段代码据说可以使得A用户能以B用户的身份去执行一些操作,但是如何去做啊???
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
小弟在此跪谢各位大神啦~~
以下一段代码据说可以使得A用户能以B用户的身份去执行一些操作,但是如何去做啊???
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}
小弟在此跪谢各位大神啦~~
...全文
请发表友善的回复…
发表回复
qq120848369 2012-08-23
- 打赏
- 举报
程序启动后, 实际用户ID是启动者是谁, 有效用户ID一般是启动者, 如果程序有用户s权限就是程序的用户主, 还有一个保存设置用户ID,从命令行启动程序后是有效用户ID。
前两者一般人都懂,保存设置用户ID没几个人懂。
当一个程序setuid(uid)之后,如果当前有效用户ID是root,那么RUID,EUID,SAVED SET-USER-ID都被设置成uid。
而如果想再切回root是很难的,只有少数操作系统实现支持使用seteuid切回root。为什么不能切回root了?因为:
If the process does not have appropriate privileges, but uid is equal to the real user ID or the saved set-user-ID, setuid() shall set the effective user ID
to uid; the real user ID and saved set-user-ID shall remain unchanged.
只有uid等于当前的RUID/S-S-UID才可以,但seteuid可以帮你突破这个限制。
对于一个EUID不是root的用户,就很简单了:可以切成RUID或者S-S-UID。
比如A用户启动的程序,那么3个ID都是A, 于是A用户没有任何用户可以切。
但是,如果A用户启动的程序是设置过s权限的B用户的程序,那么A的RUID=A,EUID=B,S-S-UID=B。
此时如果想让程序降权,也就是让EUID从B变到A,那么setuid(getuid())即可变成RUID=A,EUID=A,S-S-UID=B。 降权后干了一些事后打算提权回B,因为S-S-UID=B,所以可以setuid(B的UID)提权回B,也就是RUID=A,EUID=B,S-S-UID=B,又变到了最初的样子。
前两者一般人都懂,保存设置用户ID没几个人懂。
当一个程序setuid(uid)之后,如果当前有效用户ID是root,那么RUID,EUID,SAVED SET-USER-ID都被设置成uid。
而如果想再切回root是很难的,只有少数操作系统实现支持使用seteuid切回root。为什么不能切回root了?因为:
If the process does not have appropriate privileges, but uid is equal to the real user ID or the saved set-user-ID, setuid() shall set the effective user ID
to uid; the real user ID and saved set-user-ID shall remain unchanged.
只有uid等于当前的RUID/S-S-UID才可以,但seteuid可以帮你突破这个限制。
对于一个EUID不是root的用户,就很简单了:可以切成RUID或者S-S-UID。
比如A用户启动的程序,那么3个ID都是A, 于是A用户没有任何用户可以切。
但是,如果A用户启动的程序是设置过s权限的B用户的程序,那么A的RUID=A,EUID=B,S-S-UID=B。
此时如果想让程序降权,也就是让EUID从B变到A,那么setuid(getuid())即可变成RUID=A,EUID=A,S-S-UID=B。 降权后干了一些事后打算提权回B,因为S-S-UID=B,所以可以setuid(B的UID)提权回B,也就是RUID=A,EUID=B,S-S-UID=B,又变到了最初的样子。
shen_wei 2012-08-23
- 打赏
- 举报
那你要做用户登录模式。。不同的登录名,操作不同的选项!!
多喝水ooo 2012-08-23
- 打赏
- 举报
NAME
setresuid, setresgid - set real, effective and saved user or group ID
SYNOPSIS
#define _GNU_SOURCE
#include <unistd.h>
int setresuid(uid_t ruid, uid_t euid, uid_t suid);
int setresgid(gid_t rgid, gid_t egid, gid_t sgid);
DESCRIPTION
setresuid sets the real user ID, the effective user ID, and the saved (effective)
user ID of the current process.
Unprivileged user processes (i.e., processes with each of real, effective and
saved user ID nonzero) may change the real, effective and saved user ID, each to
one of: the current uid, the current effective uid or the current saved uid.
The super-user may set real, effective and saved user ID to arbitrary values.
If one of the parameters equals -1, the corresponding value is not changed.
Completely analogously, setresgid sets the real, effective and saved group ID’s of
the current process, with the same restrictions for processes with each of real,
effective and saved user ID nonzero.
RETURN VALUE
On success, zero is returned. On error, -1 is returned, and errno is set appro-
priately.
ERRORS
EPERM The current process was not privileged (did not have the CAP_SETUID capa-
bility) and tried to change the IDs is a not allowed way.
EAGAIN uid does not match the current uid and this call would bring that userID
over its NPROC rlimit.
CONFORMING TO
This call is nonstandard.
HISTORY
This system call was first introduced in HP-UX. It is available under Linux since
Linux 2.1.44. These days it is also found in FreeBSD (for emulation of Linux
binaries).
NOTES
Under HP-UX and FreeBSD the prototype is found in <unistd.h>. Under Linux the
prototype is given by glibc since version 2.3.2 provided _GNU_SOURCE is defined.
SEE ALSO
getuid(2), setuid(2), setreuid(2), getresuid(2)
setresuid, setresgid - set real, effective and saved user or group ID
SYNOPSIS
#define _GNU_SOURCE
#include <unistd.h>
int setresuid(uid_t ruid, uid_t euid, uid_t suid);
int setresgid(gid_t rgid, gid_t egid, gid_t sgid);
DESCRIPTION
setresuid sets the real user ID, the effective user ID, and the saved (effective)
user ID of the current process.
Unprivileged user processes (i.e., processes with each of real, effective and
saved user ID nonzero) may change the real, effective and saved user ID, each to
one of: the current uid, the current effective uid or the current saved uid.
The super-user may set real, effective and saved user ID to arbitrary values.
If one of the parameters equals -1, the corresponding value is not changed.
Completely analogously, setresgid sets the real, effective and saved group ID’s of
the current process, with the same restrictions for processes with each of real,
effective and saved user ID nonzero.
RETURN VALUE
On success, zero is returned. On error, -1 is returned, and errno is set appro-
priately.
ERRORS
EPERM The current process was not privileged (did not have the CAP_SETUID capa-
bility) and tried to change the IDs is a not allowed way.
EAGAIN uid does not match the current uid and this call would bring that userID
over its NPROC rlimit.
CONFORMING TO
This call is nonstandard.
HISTORY
This system call was first introduced in HP-UX. It is available under Linux since
Linux 2.1.44. These days it is also found in FreeBSD (for emulation of Linux
binaries).
NOTES
Under HP-UX and FreeBSD the prototype is found in <unistd.h>. Under Linux the
prototype is given by glibc since version 2.3.2 provided _GNU_SOURCE is defined.
SEE ALSO
getuid(2), setuid(2), setreuid(2), getresuid(2)
niceguy01 2012-08-23
- 打赏
- 举报
跪着吧!!!
griffin601 2012-08-23
- 打赏
- 举报
对不起,小弟愚钝,能不能说的再清楚一点,什么事用户登录模式啊???
griffin601 2012-08-22
- 打赏
- 举报
给自己顶一下!
