SetUID Programs: passwd, sudo, …¶
Problem: Change My Password¶
/etc/passwd: Unix user database/etc/passwdstructure¶$ grep jfasch /etc/passwd jfasch:x:1000:1000:Joerg Faschingbauer:/home/jfasch:/bin/bash
/etc/passwdpermissions¶$ ls -l /etc/passwd -rw-r--r--. 1 root root 2691 Nov 2 10:01 /etc/passwd
⟶ not writeable
Column 1 -
"x"- means “Encrypted password is in/etc/shadow” ⟶ no need to write/etc/passwd, alas/etc/shadowpermissions¶$ ls -l /etc/shadow ----------. 1 root root 1317 Nov 2 10:01 /etc/shadow
⟶ not even readable!
Problem: I cannot change my password
Only
rootcan do thatSolution: ask
rootto change my passwordSend the output of this command to
root, and ask her to enter it into/etc/shadow:$ openssl passwd -6 -salt my-cool-salt Password: <... enter cleartext password ...> $6$my-cool-salt$MDMCKQvPfaqqUqyPVZjjkIhsBKKcNIOgKNXtiOBvBFw8u7zUF3.0g2RQR9CnyDnQQ5Unt/Wpu8jyZeUXKTApl0
Problem: imagine 100 users doing this per day ⟶
rootburnout!
Solution: Set-UID Bit¶
Note
First off: ugly hack with severe security implications
Turns out I (as
jfasch) can change my password$ passwd Changing password for user jfasch. Current password: New password: Retype new password:
⟶ Done!
How come? ⟶ Set-UID
$ which passwd /usr/bin/passwd [jfasch@fedora ~] $ ls -l /usr/bin/passwd -rwsr-xr-x. 1 root root 32712 Jan 30 2021 /usr/bin/passwd
⟶ “s”, a-ha
Set-UID: How Does It Work?¶
Another bit in the “mode” bitmask
32 available
9 reserved for the
rwxrwxrwxgame (see Permissions: Mode, User and Group Ownership)
When that bit (the set-UID bit) is set, the process’s effective user ID becomes that of the owner of the file program
In the case of
/usr/bin/passwd, this would beroot(UID: 0)A program owned by
jfaschwould run with that user’s privileges, no matter who executed it
Command: chmod¶
$ chmod 4755 program
… or …
$ chmod u+s program