Set-UID实验

//csdn博客目前暂时不再更新了,有兴趣请访问我的技术博客-晓的博客:zhangxiaolong.org 

写这个blog主要是对自己学习的内容进行一个总结和记录,希望对学习这些知识的同道之人有所帮助,第一次写博文,经验有所不足,我会慢慢练习。

实验操作我是参照了一位比较厉害的师兄,他的set_uid blog:http://blog.sina.com.cn/s/blog_70dd16910100pz8k.html。希望对大家有所帮助。

这个实验是信息安全实验的第一个实验,共有7个task,每一个task都有截图作为步骤。

1.  Figure out why "passwd", "chsh", "su", and "sudo" commands need to be Set-UIDprograms. What will happen if they are not? If you are not familiar with these programs, you should first learn what
they can do by reading their manuals. Please copy these commands to your owndirectory; the copies will not be Set-UID programs. Run the copied programs, and observe whathappens.

实验截图如下:

                                                   图 1

                                                       图 2

   由图1,图2所示:拷贝到/home/seed下的passwd程序,没有了root权限,这样就没有了修改密码的权限。同样chsh su等等同样的道理。

2.  Run Set-UID shell programs in Linux, and describe and explain your observations.

(a) Login as root, copy /bin/zsh to /tmp, and make it a set-root-uid program with permission4755. Then login as a normal user, and run /tmp/zsh. Will you get root privilege? Please describe your observation. If you
cannot find /bin/zsh in your operating system, please use the following command to install it:_ Note: in our pre-built Ubuntu VM image, zsh is already installed.

su

Password: (enter root password)

 yum install zsh

 For Ubuntu

$ su

Password: (enter root password)

apt-get install zsh

                                          图 3

由图3示,可以获得root权限

(b) Instead of copying /bin/zsh, this time, copy /bin/bash to /tmp, make it a set-root-uidprogram. Run /tmp/bash as a normal user. will you get root privilege? Please describe andexplain your observation.

                                             图 4

由图4示获得不了root权限,,从实验中可以看出/bin/bash有某种内在的保护机制可以阻止Set-UID机制的滥用。

3. (Setup for the rest of the tasks) As you can find out from the previous task, /bin/bash has certainbuilt-in protection that prevent the abuse of the Set-UID mechanism. To see the life before such
aprotection scheme was implemented, we are going to use a different shell program called /bin/zsh.In some Linux distributions (such as Fedora and Ubuntu), /bin/sh is actually a symbolic linkto /bin/bash. To use zsh, we need to link /bin/sh to /bin/zsh. The
following instructionsdescribe how to change the default shell to zsh.

$ su

Password: (enter root password)

# cd /bin

# rm sh

# ln -s zsh sh

                                                    图 5

4. The PATH environment variable.The system(const char *cmd) library function can be used to execute a command withina program. The way system(cmd) works is to invoke the /bin/sh program, and then
let theshell program to execute cmd. Because of the shell program invoked, calling system() within aSet-UID program is extremely dangerous. This is because the actual behavior of the shell programcan be affected by environment variables, such as PATH; these
environment variables are under user’scontrol. By changing these variables, malicious users can control the behavior of the Set-UIDprogram.The Set-UID program below is supposed to execute the /bin/ls command; however, the programmeronly uses the relative path
for the ls command, rather than the absolute path:

int main()

{

system("ls");

return 0;

}

(a) Can you let this Set-UID program (owned by root) run your code instead of /bin/ls? If you can, is your code running with the root privilege? Describe and explain your observations.

                                                图 6

可以获得,在root权限下:
(1)首先以root权限编译如下程序,并将该程序设置为SUID。
int main()
{
system("ls");
return 0;
}
在普通用户模式下:
(2)拷贝sh到/tmp,并命名为ls。
(3)修改环境变量为/tmp。
(4)运行root用户编写的SUID程序。
结果:用/usr/bin/id命令查询用户eid变为0。
(b) Now, change /bin/sh so it points back to /bin/bash, and repeat the above attack. Can youstill get the root privilege? Describe and explain your observations.

不能够获得root权限,因为bash存在某种内部的安全机制。

5. The difference between system() and execve(). Before you work on this task,please make sure that /bin/sh is pointed to /bin/zsh.Background: Bob works for an auditing agency, and he needs to investigate
a company for a suspectedfraud. For the investigation purpose, Bob needs to be able to read all the files in the company’sUnix system; on the other hand, to protect the integrity of the system, Bob should not be able tomodify any file. To achieve this goal,
Vince, the superuser of the system, wrote a special set-root-uidprogram (see below), and then gave the executable permission to Bob. This program requires Bob totype a file name at the command line, and then it will run /bin/cat to display the specified file.Since
the program is running as a root, it can display any file Bob specifies. However, since the programhas no write operations, Vince is very sure that Bob cannot use this special program to modify any file.

#include <string.h>

#include <stdio.h>

#include <stdlib.h>

int main(int argc, char *argv[])

{

char *v[3];

if(argc < 2) {

printf("Please type a file name.\n");

return 1;

}

v[0] = "/bin/cat"; v[1] = argv[1]; v[2] = 0;

/* Set q = 0 for Question a, and q = 1 for Question b */

int q = 0;

if (q == 0){

char *command = malloc(strlen(v[0]) + strlen(v[1]) + 2);

sprintf(command, "%s %s", v[0], v[1]);

system(command);

}

else execve(v[0], v, 0);

return 0 ;

}

(a)    Set q = 0 in the program. This way, the program will use system() to invoke the command.Is this program safe? If you were Bob, can you compromise the integrity of the system? Fo rexample, can you remove any
file that is not writable to you? (Hint: remember that system()actually invokes /bin/sh, and then runs the command within the shell environment. We havetried the environment variable in the previous task; here let us try a different attack. Please pay attention
to the special characters used in a normal shell environment).

这个命令不安全,Bob可能会出去好奇或者个人利益驱使会阅读或者修改只有root用户才可以运行的一些文件,如图所示。

                                                  图 7

(b) Set q = 1 in the program. This way, the program will use execve() to invoke the command.Do your attacks in task (a) still work? Please describe and explain your observations.

不会有效,在(a)中之所以有效,是具有root权限的system在执行了cat file文件后,还会接着执行mv file file_new命令。而当令q=1, execve()函数会把file; mv file file_new 看成是一个文件名,系统会提示不存在这个文件。示意图如下:

                                             图 8

6. The LD PRELOAD environment variable.

To make sure Set-UID programs are safe from the manipulation of the LD PRELOAD environmentvariable, the runtime linker (ld.so) will ignore this environment variable if the program is aSet-UID root program, except
for some conditions. We will figure out what these conditions are inthis task.

(a) Let us build a dynamic link library. Create the following program, and name it mylib.c. Itbasically overrides the sleep() function in libc:

#include <stdio.h>

void sleep (int s)

{

printf("I am not sleeping!\n");

}

(b) We can compile the above program using the following commands (in the -W1 argument, thethird character is one, not `; in the -lc argment, the second character is `):

% gcc -fPIC -g -c mylib.c

% gcc -shared -W1,-soname,libmylib.so.1 \

-o libmylib.so.1.0.1 mylib.o –lc

(c) Now, set the LD PRELOAD environment variable:% export LD_PRELOAD=./libmylib.so.1.0.1

(d) Finally, compile the following program myprog (put this program in the same directory as libmylib.so.1.0.1):

/* myprog.c */

int main()

{

sleep(1);

return 0;

}

Please run myprog under the following conditions, and observe what happens. Based on your observations,tell us when the runtime linker will ignore the LD PRELOAD environment variable, andexplain why.

_ Make myprog a regular program, and run it as a normal user.

在这种情况下,忽略LD_PRELOAD环境变量,不重载sleep函数,使用系统自带的sleep函数。

                                                   图 9

_ Make myprog a Set-UID root program, and run it as a normal user.

在这种情况下,使用LD_PRELOAD环境变量,使用重载的sleep函数。

                                                     图 10

_ Make myprog a Set-UID root program, and run it in the root account.

在这种情况下,忽略LD_PRELOAD环境变量。

                                                图 11

                                               图 12

                                                    图 13

_ Make myprog a Set-UID user1 program (i.e., the owner is user1, which is another user account),and run it as a different user (not-root user).

7. Relinquishing privileges and cleanup.

To be more secure, Set-UID programs usually call setuid() system call to permanently relinquishtheir root privileges. However, sometimes, this is not enough. Compile the following program,and make the program a set-root-uid
program. Run it in a normal user account, and describe what youhave observed. Will the file /etc/zzz be modified? Please explain your observation.

#include <stdio.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

void main()

{ int fd;

/* Assume that /etc/zzz is an important system file,

and it is owned by root with permission 0644 */

fd = open("/etc/zzz", O_RDWR | O_APPEND);

/* Simulate the tasks conducted by the program */

sleep(1);

/* After the task, the root privileges are no longer needed,

it’s time to relinquish the root privileges permanently. */

setuid(getuid()); /* getuid() returns the real uid */

if (fork()) { /* In the parent process */

close (fd);

exit(0);

} else { /* in the child process */

/* Now, assume that the child process is compromised, malicious

attackers have injected the following statements

into this process */

write (fd, "Malicious Data", 14);

close (fd);

}

}

                                               
图 14

                                                图 15

                                                图 16

时间: 2024-09-20 13:18:20

Set-UID实验的相关文章

Race_Condition实验

//csdn博客目前暂时不再更新了,有兴趣请访问我的技术博客-晓的博客:zhangxiaolong.org     今天做了第二个实验,是条件竞争实验.首先呢,先思考以下两个问题: 1.linux下用open函数打开文件时,要是采用O_WRONLY模式为何容易产生竞争条件漏洞?换成O_WRONLY | O_CREAT | O_EXCL 模式后情况会如何? 解答:open函数用来打开一个设备,他返回的是一个整型变量,如果这个值等于-1,说明打开文件出现错误,如果为大于0的值, 参考格式>  int

linux实验三

实验3 Linux的进程控制 一.实验目的通过实验掌握Linux中进程控制的基本命令. 二.实验要求1.练习使用who, w, ps,pstree察看系统用户及进程的信息. 2.练习使用kill命令撤销进程. 3.练习进程前后台的切换. 三.         实验报告要求 1.              简要说明实验的目的.任务与设备 2.              写出具体的实验步骤及实验结果 3.              总结实验过程中遇到的问题及解决方法 4.             

实验一二三命令

///实验1 Linux操作基础和文本编辑useradd 用户名passwd 用户名groupadd 用户组名man 命令help命令vi 文件名i命令插入文本删除一个字符,用x命令删除一行,用dd命令删除剩下的行,用d命令复原文字命令用u命令ndd:能够剪切从当前行开始的n行文本命令p:能将剪切的内容粘贴到文档内任何地方向前查找:使用命令/+要查找的文本,向后查找:使用命令?+要查找的文本:.=并按回车键确定光标所在当前行行号:行号并按回车键,光标移动到输入的行号.:$:光标移动到最后一行ES

python高性能web开发与测试实验实例

python具有如下两个特征: 解释型语言 GIL全局解释器锁 前者导致其性能天然就被编译型语言在性能上落后了许多.而后者则在多核并行计算时代,极大的限制了python的应用场景. 但是通过合理的web框架,则可以使用python扬长避短,仍然能够在多核并行时代须保持其高效开发的生产力同时,在性能上也有出色表现.例如,tornado框架. tornado框架主要做了如下几件事: 使用单线程的方式,避免线程切换的性能开销,同时避免在使用一些函数接口时出现线程不安全的情况 支持异步非阻塞网络IO模型

【技术实验】表格存储Tablestore准实时同步数据到Elasticsearch

实验背景 图书馆Q是一家大型图书馆,图书馆藏书众多,纸质图书600多万册,电子图书7000多万册,总数有八千多万册,这些图书之前都是人工检索维护的,现在需要做一个系统来存储管理这些图书信息.需求如下: 图书总量目前八千多万册,考虑到未来二十年的增长,需要系统能支持一亿的存储量. 图书信息很重要,不能接受丢失发生. 图书的名字和作者名字需要支持模糊搜索. 每本书的属性最多有一百多个,且不固定,不同类型的图书的属性列差异较大.且未来可能会新增属性列. 根据上面这些需求特点,要完成这个管理系统,需要两

外键要建立索引的原理和实验

项目中,我们要求凡是有主子关系的表都要使用外键约束,来保证主子表之间关系的正确,不推荐由应用自己控制这种关系. 但发现有时开发人员提交SQL语句时未必会注意外键列需要定义索引,或者不清楚为什么外键列需要建立索引,网上一些所谓的"宝典"也会将外键列建索引作为其中的一条,包括TOM大师,曾说过: 导致死锁的头号原因是外键未加索引(第二号原因是表上的位图索引遭到并发更新).在以下两种情况下,Oracle在修改父表后会对子表加一个全表锁: 1)如果更新了父表的主键(倘若遵循关系数据库的原则,即

可以推荐一个实验用IC读写器吗,学生用,不用太贵,可实现想要的简单功能

问题描述 可以推荐一个实验用IC读写器吗,学生用,不用太贵,可实现想要的简单功能 想给读写器加上一点自己想要的功能,譬如说刷卡时加上语音提示,不知道选用那个读写器,可以推荐一个吗,谢谢 解决方案 可以联系我,聊聊..

线程-操作系统,进程同步实验的问题

问题描述 操作系统,进程同步实验的问题 操作系统 进程同步 实验中 我们模拟了这一个小小的程序,如下: #include <stdio.h>#include <stdlib.h>#include <windows.h>int c1 = 0;int c2 = 0;int will_wait;int accnt1 = 0;int accnt2 = 0;DWORD WINAPI run1( LPVOID p ) { unsigned long counter = 0; int

关于数值分析的实验程序,用c语言c++均可,需要用到数值分析课相关知识,我可以提供部分资料

问题描述 关于数值分析的实验程序,用c语言c++均可,需要用到数值分析课相关知识,我可以提供部分资料 解决方案 我只想说 数据分析 不应该用MATLAB更方便吗? 解决方案二: http://wenku.baidu.com/link?url=ZAScYogajXHrTTRa5xjpUPtS7OQQXZ_LfXaWNkczTtWf2MJgx0RZFUuca4iRGUcPwtr4Um4AJObpWKl8dg5WS6fZdx6lfoES8JYcsJtcdgi 解决方案三: 数值分析各种算法C语言数值分