I am trying to understand about buffer overflow and setuid. I use this source :
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void){
char prog[]="/bin/ls -hal";
char in[8]={0};
printf("Name of a dir to list : ");
gets(in);
char *cmd;
cmd=malloc(strlen(prog)+strlen(in)+2);
strcat(cmd, prog);
strcat(cmd, " ");
strcat(cmd, in);
return system(cmd);
}
After compiling it, I change the owner with :
sudo chown root:root a.out
I set the rights :
sudo chmod 4755 a.out
Now the a.out looks like :
-rwsr-xr-x 1 root root 7544 mai 01:24 a.out
I launch it with my current user (not root), and with ps aux | grep a.out :
root 4656 0.0 0.0 4084 684 pts/0 S+ 01:52 0:00 ./a.out
So that is ok. If my input is :
aaaaaaaaaaaaaaaa/bin/bash;
I get a new shell, but I am not root on it I am logged with my current user, and I don't understand why. Because the owner is root, and I put the setuid so the new bash will be launched with root's rights no ?
The setuid flag on an executable problem sets the euid (effective UID). Your uid, and not your euid are passed through to child processes. Before you call the system() command do
setuid(geteuid());