Thread: how to gain privilege

  1. #1
    still a n00b Jaguar's Avatar
    Join Date
    Jun 2002
    Posts
    187

    how to gain privilege

    File /etc/shadow belongs to root, and access permission is set to 400 or "-r--------" (unless chmod).
    So it can't be modified by even root.
    But when I login as a normal user (UID 500 up) and I change password with the command /usr/bin/passwd, file /etc/shadow is consequently changed.
    I think such binary can gain privilege over even root.
    I question how to make such bin with gcc/g++?
    slackware 10.0; kernel 2.6.7
    gcc 3.4.0; glibc 2.3.2; vim editor
    migrating to freebsd 5.4

  2. #2
    Registered User
    Join Date
    Aug 2001
    Posts
    244
    Waaaaaaaait a second... there is no restriction to what root can do!

    I just tried chmod'ing a file to 400... root could still edit it fine.

    Sounds like there's another issue with your system, but I'm far from a linux expert.

  3. #3
    End Of Line Hammer's Avatar
    Join Date
    Apr 2002
    Posts
    6,231
    /etc/shadow is supposed to be accessed by privilaged users only. You should grant access to it lightly.

    >>I don't know why that file is only readable by root
    Because it is supposed to hold the users passwords (encrypted), its "safer" than storing them in /etc/passwd which must be globally accessable. shadow
    When all else fails, read the instructions.
    If you're posting code, use code tags: [code] /* insert code here */ [/code]

  4. #4
    End Of Line Hammer's Avatar
    Join Date
    Apr 2002
    Posts
    6,231
    >>Yeah, I know what Shadow passwords are,
    I thought you would I was just picking up on:
    >I don't know why that file is only readable by root
    and
    >Debian machine and it's rw root, r other

    >>but why should the file not be writeable by root
    Don't know, that's a strange one. Maybe it's one extra level of "security" to frighten a newbie haxor... yes it's lame (and pointless), but it's all I can think of!
    When all else fails, read the instructions.
    If you're posting code, use code tags: [code] /* insert code here */ [/code]

  5. #5
    End Of Line Hammer's Avatar
    Join Date
    Apr 2002
    Posts
    6,231
    Makes sense now
    http://www.debian.org/doc/manuals/se...to/ch3.en.html
    /etc/shadow
    Only the root user and the group shadow have read access to this file,
    When all else fails, read the instructions.
    If you're posting code, use code tags: [code] /* insert code here */ [/code]

  6. #6
    still a n00b Jaguar's Avatar
    Join Date
    Jun 2002
    Posts
    187
    I did not change access permission, -r-------- is default one.
    Anyway thank for all hints.

    But I still wnder when I login as a normal user, I can use /usr/bin/passwd to change /etc/shadow, which is not writeable for normal users.
    slackware 10.0; kernel 2.6.7
    gcc 3.4.0; glibc 2.3.2; vim editor
    migrating to freebsd 5.4

  7. #7
    End Of Line Hammer's Avatar
    Join Date
    Apr 2002
    Posts
    6,231
    Originally posted by Jaguar
    But I still wnder when I login as a normal user, I can use /usr/bin/passwd to change /etc/shadow, which is not writeable for normal users.
    Look at the permissions on /usr/bin/passwd. What are they set to?
    When all else fails, read the instructions.
    If you're posting code, use code tags: [code] /* insert code here */ [/code]

  8. #8
    Registered User
    Join Date
    Nov 2002
    Posts
    491
    I could be wrong, but I do not belive suid allows a program to 'set' it's UID to 0, it's rather given the UID of 0. A program does not have to be aware if it is suid or not, you can suid any program and it will be given super users priveleges.

    On a side note, besides the given suid apps (passwd being one of them), sudo is a great tool to give specific users the ability to run suid apps.

    (Just thought I'd add my 2 cents)

  9. #9
    Comment your source code! Lynux-Penguin's Avatar
    Join Date
    Apr 2002
    Posts
    533
    I run a few linux boxes some redhat etc. And all of them
    have

    -r-------- root root ***** /etc/shadow

    note: no matter what, root can change anything ANYTHING. Like it was the kernel or in control of the kernel. If it can't change something then it's not Unix.
    Asking the right question is sometimes more important than knowing the answer.
    Please read the FAQ
    C Reference Card (A MUST!)
    Pointers and Memory
    The Essentials
    CString lib

  10. #10
    End Of Line Hammer's Avatar
    Join Date
    Apr 2002
    Posts
    6,231
    Do you really think they're still looking nearly 3 months later...?
    When all else fails, read the instructions.
    If you're posting code, use code tags: [code] /* insert code here */ [/code]

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. How can a program get ring0 privilege easily?
    By chenayang in forum Tech Board
    Replies: 6
    Last Post: 07-22-2008, 02:28 AM
  2. Visual Studio Installer Privilege Issue
    By mercury529 in forum Windows Programming
    Replies: 4
    Last Post: 01-30-2006, 01:48 PM
  3. Help Me A Gain
    By AHMED KHALAF in forum C Programming
    Replies: 1
    Last Post: 12-09-2004, 08:11 AM
  4. Principal of least privilege
    By carlin70 in forum C++ Programming
    Replies: 2
    Last Post: 02-22-2003, 08:15 PM
  5. Gain Administrator Right on NT4
    By Unregistered in forum Windows Programming
    Replies: 1
    Last Post: 01-09-2002, 12:31 PM