Bdtyktl

I have some questions about setuid binary.
I know it exists some dangerous program (if you permit to use this program with sudo, it is possible to escape from the program and get a root shell) like ftp, gdb or find.
For example, if i can make a sudo ftp with root rights, i can then enter !/bin/bash and get a root shell.

So i was thinking it was the same problem for this binary if they've got the suid bit. So i tried on my computer and here is the problem.
I put suid right on /usr/bin/netkit-ftp (/usr/bin/ftp is a symbloic link to /usr/bin/netkit-ftp).
Here is the result of ls -l /usr/bin/netkit-ftp

-rwsr-xr-x 1 root root 96968 déc.   6  2016 /usr/bin/netkit-ftp

Then i tried to use ftp and enter !whoami. And the result is not root (it'm my current username).

I dont understand why ? If the binary /usr/bin/netkit-ftp got suid bit, it is supposed to be execute with root permission, no ? (so why my whoami isn't returning me root ?)

Cordially :)

Each process has at least two UID sets (usually three or more). One of them is the "real" UID, which determines what user owns the process. The other is the "effective" UID, which determines the permissions that the process has. You can find the Linux description in credentials(7).

When a 'setuid' program starts, only its "effective" UID is changed, so that it has the new privileges but still knows who launched it. (That's how sudo knows who you are, even though it's setuid.)

Example:

$ sudo cp /bin/id /bin/test-id

$ sudo chmod u+s,g+s /bin/test-id



$ ls -la /bin/test-id

-rwsr-sr-x 1 root root 42K Jan  4 11:59 /bin/test-id*



$ /bin/test-id

uid=1000(grawity) gid=1000(grawity) euid=0(root) egid=0(root) groups=1000(grawity),3(sys),4(adm),10(wheel),100(users)

A freshly started program like this will already have root privileges. For example, if you give the setuid bit to cat or less, then any user will be able to read root-only files.

Programs can change this state in two directions: they can change both UIDs to EUID (fully "becoming root"), or they can change both to the real UID (dropping privileges and returning to your "normal" user). I think sudo does the former, but you'll also often see many programs doing the latter.

Note that the bash shell also does the latter: if you try to give the setuid bit to /bin/bash, it will relinquish its setuid privileges on startup, unless it was started with the -p (--privileged) option. You can see this in bash's flags.c and shell.c.

This is important because when you use ! in ftp, the provided command isn't executed directly; it's actually run through a shell, and what applies to the shell also applies to !-commands. That is, the sh process started by ftp will actually inherit the setuid state (euid=0) exactly as you expect, but will relinquish it before running the provided command.

(This means that entering !/bin/bash actually runs *two* shell processes: the first one has the right euid but drops privileges before starting the second one.)

You can test (and bypass) this by telling ftp to use something else as the initial shell:

$ ls -l /bin/id /bin/test-ftp

-rwxr-xr-x 1 root root  42K Aug 19 12:54 /bin/id*

-rwsr-sr-x 1 root root 137K Jan  4 12:08 /bin/test-ftp*



$ SHELL=/bin/id /bin/test-ftp

ftp> !

uid=1000(grawity) gid=1000(grawity) euid=0(root) egid=0(root) groups=0(root),3(sys),4(adm),10(wheel),100(users)

ftp>

(Note: Not all programs look at $SHELL; some always use /bin/sh, or no shell at all.)