Professional Documents
Culture Documents
Midterm1 2
Midterm1 2
Midterm1 2
Set-UID
1. Alice runs a Set-UID program that is owned by Bob. The program
tries to read from /tmp/x, which is readable to Alice, but not to
anybody else. Can this program successfully read from the file?
No. The Set-UID program owned by Bob will try to read /tmp/x
as Bob, and not Alice. And since only Alice can access that
file, the program cannot.
2. A process tries to open a file for read. The process's effective user
ID is 1000, and real user ID is 2000. The file is readable to user ID
2000, but not to user ID 1000. Can this process successfully open
the file? No. Since the effective user ID doesn't have access to
the file, the process cannot open it.
3. A root-owned Set-UID program allows a normal user to gain the
root privilege while executing the program. What prevents the user
from doing bad things using the privilege? Good programming
practices while writing the set-uid program. By not mixing
user input with trusted data, and not using vulnerable APIs
such as system, the root program will be very limited in scope
as to what it can do.
4. We are trying to turn a program prog owned by the seed user into
a Set-UID program that is owned by root. Can running the
following commands achieve the goal?
$ sudo chmod 4755 prog
$ sudo chown root prog
The first command sets the Set-UID bit on the program by
using the chmod command with the numeric value 4755. This
value sets the Set-UID bit and ensures that the program runs
with the privileges of the owner (root) when executed.
When you run the command prog < /etc/shadow, the shell creates a new file
descriptor (in this case, standard input) that is connected to the /etc/shadow
file, and the program prog reads from that file descriptor as if it was
reading from the terminal.
However, in the case of a Set-UID program, the program runs with the
privileges of the file owner (in this case, the root user), but it does not run
as the root user. Therefore, the program is not allowed to access files
outside of the permitted directories, even if the file is specified as a file
descriptor through standard input.
In other words, the program prog can only access the /etc/shadow file if it is
explicitly opened by the program using the appropriate file I/O functions
(such as open()), and not through the file descriptor provided by the shell.
Therefore, the command prog < /etc/shadow is not a security risk to the
/etc/shadow file, even if prog is a privileged program.
Is this conversation helpful so far?
dịch câu trả lời vừa rồi sang tiếng việt
No, you cannot use the method prog < /etc/shadow to get the privileged
program prog to read the /etc/shadow file, even if prog is a root-owned Set-
UID program.
When you run the command prog < /etc/shadow, the shell creates a new file
descriptor (in this case, standard input) that is connected to the /etc/shadow
file, and the program prog reads from that file descriptor as if it was
reading from the terminal.
However, in the case of a Set-UID program, the program runs with the
privileges of the file owner (in this case, the root user), but it does not run
as the root user. Therefore, the program is not allowed to access files
outside of the permitted directories, even if the file is specified as a file
descriptor through standard input.
In other words, the program prog can only access the /etc/shadow file if it is
explicitly opened by the program using the appropriate file I/O functions
(such as open()), and not through the file descriptor provided by the shell.
Therefore, the command prog < /etc/shadow is not a security risk to the
/etc/shadow file, even if prog is a privileged program.
However, this does not necessarily pose a danger, as the child process
is not directly accessing the /etc/shadow file or other sensitive
resources. The risk of capability leaking only becomes a concern if
the child process passes these access rights to another process, or if
the child process itself is vulnerable to attacks that exploit these
access rights.
$ /usr/bin/env
$ /usr/bin/strings /proc/$$/environ
The /usr/bin/env and /usr/bin/strings /proc/$$/environ
commands are used for different purposes when working with environment variables
in a Linux environment.
variables specified on the command line. It's useful when you want to run commands
with a specific environment, like a particular version of a programming language or
interpreter. If used without any additional arguments, env will print the current
environment variables for the user.
5. Bob says that he never uses any environment variable in his code,
so he does not need to worry about any security problem caused
by environment variables. Is he correct?
No, Bob is not entirely correct. While Bob may not use environment variables directly
in his code, it's still possible for his code to be impacted by security issues related to
environment variables. I can illustrate the potential risks with the PATH and
LD_LIBRARY environment variables.
The PATH environment variable tells the system where to look for executable files. If
an attacker manages to modify Bob's PATH variable, they could potentially replace a
legitimate program with a malicious one. As a consequence, when Bob's code runs
the legitimate program, the malicious one might be executed instead. So, even
though Bob does not use any environment variables directly in his code, it's
important to be aware of the security issues related to environment variables and to
take appropriate precautions to protect the environment. Keeping the environment
variables clean, and limiting the permissions of environment variables, can help
prevent such security issues.
The PATH environment variable in the current shell will impact the behavior of
the system() function in two primary ways:
Identifying the executable: When abc calls the system() function trying
to execute xyz, the system will first look at the directories mentioned in
the PATH variable to locate the xyz program. This means that the content
of the PATH variable in the current shell determines the actual executable
file that gets loaded.
secure_getenv():
Advantages of secure_getenv():
· LD_AUDIT
· LD_DEBUG_OUTPUT.
LD_AUDIT
LD_DEBUG_OUTPUT
10. There are two typical approaches for letting normal users do
privileged tasks, one is to write a root-owned Set-UID program,
and let the user run; another approach is to use a dedicated root
daemon to do those privileged tasks for users. Please compare the
attack surfaces of these two approaches, and describe which one
is more secure.
Both approaches have their own potential attack surfaces, and the
choice between them depends on the specific use case.