0

I have two users first being ace and the second being ej

ace has a file in its home directory, which is a shell script, with the following permission set ( setuid i have used )

-rwsr--r-x 1 ace ace 15 Jan 20 05:18 /home/ace/myshellscript

the content of script is very simple, listed following

echo "`whoami`"

cat ./testPrevEsc

but if I try to read another file owned by the the ace (testPrevEsc) which I think i can do by just passing cat filename in the $1, i think i should be able to do it, irrespective of permission that is set for others, as long as the owner can read it, but I can't why ?

My understanding of setuid says, that the program or shell executes as its being executed by owner, instead of executing user ( ej in my case), so why cant I read the file and still getting whomai as ej instead of ace ? on the other hand doing sudo whoami works fine it give you root, not the user you are running, I think I'm missing something here.

Artem S. Tashkinov
  • 29,025
Yanjan. Kaf.
  • 119

1 Answers1

0

This is happening because the bash interpretor doesn't have the, setuid, it's still running with uid of user ej and for doing something like this you will have to change the uid of interpretor.

Following video might be helpful - https://youtu.be/iv5gflNM7rc?si=o-Ren0ow-nmojgAk

Above video method works, only if we are concerted with taking privileges of root, because /usr/bin/bash or whatever shell you are using it will be owned by the root itself, but in our case ace is not root, so the way to do it is via a c program like following.

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char const argv[])
{
    printf("euid is set to %u\n", geteuid());
    FILE f = fopen("/home/ace/testPrevEsc", "r");
    if(!f){
        perror("File open failed");
        return 1;
    }else{
        int c;
        while ((c =fgetc(f)) != EOF)
        {
           putchar(c);
        }


    fclose(f);
}

return 0;



}

because calling system will set the Effective user id back to the user which doesn't have permission in our case its ej that's why we are getting whoami's return value as ej and not ace.

Yanjan. Kaf.
  • 119