Search code examples
clinuxshellrootsetuid

setuid(0) fails to execute for root owned program


I need to write some code which can gain root priveleges and execute system level operations. Here's what I've written (this is not the actual code, just to test if I'm doing things correctly or not):

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
    int current_uid = getuid();
    printf("My UID is: %d. My GID is: %d\n", current_uid, getgid());
    system("/usr/bin/id");
    if (setuid(0))
    {
        perror("setuid");
        return 1;
    }
    //I am now root!
    printf("My UID is: %d. My GID is: %d\n", getuid(), getgid());
    system("/usr/bin/id");
    //Time to drop back to regular user privileges
    setuid(current_uid);
    printf("My UID is: %d. My GID is: %d\n", getuid(), getgid());
    system("/usr/bin/id");
    return 0;
}

After doing gcc -o setuid setuid.c, I run ls -al on this to get following results:

tarun@staging:~$ ls -al setuid
-rwxr-xr-x 1 tarun tarun 9792 2009-10-03 18:09 setuid
adam@staging:~$

Trying to run the application results in:

tarun@staging:~$ ./setuid
My UID is: 1000. My GID is: 1000
uid=1000(tarun) gid=1000(tarun) groups=1000(tarun),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),125(sambashare),999(bumblebee)
setuid: Operation not permitted

I change the owner to root and set the sticky bits accordingly:

tarun@staging:~$ su - root
Password:
staging:~# cd /home/tarun
staging:/home/tarun# chown root.root setuid
staging:/home/tarun# chmod +s setuid
staging:/home/tarun# ls -al setuid
-rwsr-sr-x 1 root root 9792 2009-10-03 18:09 setuid
staging:/home/tarun# exit
logout
tarun@staging:~$

Executing the program now gives:

adam@staging:~$ ./setuid
My UID is: 1000. My GID is: 1000
uid=1000(tarun) gid=1000(tarun) groups=1000(tarun),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),125(sambashare),999(bumblebee)
setuid: Operation not permitted

While ideally it should have executed fully and changed my uid to 0. What am I doing wrong?


Solution

  • No problem with your code, just check correct setuid / 'sgid' sequence:

    sudo chmod 6775 setuid
    sudo chown root:root setuid
    

    You must set at least SUID, SGID and execution permissions (6555 mask). Also it's common for this case to set user/group write (6775 mask). Of course for security you can limit this to user write mask (6755).

    And please beassure you don't drop permissions during re-compile:

    $ ls -al
    -rwsrwsr-x 1 root  root  8772 Feb  8 17:52 setuid
    

    Just in case you (or future readers) need such guide: What is SUID and how to set SUID in Linux/Unix?

    Regarding to issues with eCryptfs: here is article which should help you: https://wiki.archlinux.org/index.php/ECryptfs