PDA

View Full Version : how to gain privilege



Jaguar
01-03-2003, 10:43 AM
File /etc/shadow belongs to root, and access permission is set to 400 or "-r--------" (unless chmod).
So it can't be modified by even root.
But when I login as a normal user (UID 500 up) and I change password with the command /usr/bin/passwd, file /etc/shadow is consequently changed.
I think such binary can gain privilege over even root.
I question how to make such bin with gcc/g++?

Captain Penguin
01-03-2003, 02:37 PM
Waaaaaaaait a second... there is no restriction to what root can do!

I just tried chmod'ing a file to 400... root could still edit it fine.

Sounds like there's another issue with your system, but I'm far from a linux expert.

Hammer
01-03-2003, 08:29 PM
/etc/shadow is supposed to be accessed by privilaged users only. You should grant access to it lightly.

>>I don't know why that file is only readable by root
Because it is supposed to hold the users passwords (encrypted), its "safer" than storing them in /etc/passwd which must be globally accessable. shadow (http://www.rt.com/man/shadow.5.html)

Hammer
01-03-2003, 08:48 PM
>>Yeah, I know what Shadow passwords are,
I thought you would ;) I was just picking up on:
>I don't know why that file is only readable by root
and
>Debian machine and it's rw root, r other

>>but why should the file not be writeable by root
Don't know, that's a strange one. Maybe it's one extra level of "security" to frighten a newbie haxor... yes it's lame (and pointless), but it's all I can think of!

Hammer
01-03-2003, 08:57 PM
Makes sense now :)


http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html
/etc/shadow
Only the root user and the group shadow have read access to this file,

Jaguar
01-04-2003, 10:55 AM
I did not change access permission, -r-------- is default one.
Anyway thank for all hints.

But I still w:onder when I login as a normal user, I can use /usr/bin/passwd to change /etc/shadow, which is not writeable for normal users.

Hammer
01-04-2003, 06:47 PM
Originally posted by Jaguar
But I still w:onder when I login as a normal user, I can use /usr/bin/passwd to change /etc/shadow, which is not writeable for normal users.
Look at the permissions on /usr/bin/passwd. What are they set to?

orbitz
01-13-2003, 09:40 PM
I could be wrong, but I do not belive suid allows a program to 'set' it's UID to 0, it's rather given the UID of 0. A program does not have to be aware if it is suid or not, you can suid any program and it will be given super users priveleges.

On a side note, besides the given suid apps (passwd being one of them), sudo is a great tool to give specific users the ability to run suid apps.

(Just thought I'd add my 2 cents)

Lynux-Penguin
04-06-2003, 02:05 PM
I run a few linux boxes some redhat etc. And all of them
have

-r-------- root root ***** /etc/shadow

note: no matter what, root can change anything ANYTHING. Like it was the kernel or in control of the kernel. If it can't change something then it's not Unix.

Hammer
04-06-2003, 02:30 PM
Do you really think they're still looking nearly 3 months later...?