SUID、SGID 概念

The Unix access rights flags setuid and setgid (short for “set user ID” and “set group ID”) allow users to run an executable with the file system permissions of the executable’s owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily(暂时、临时) elevated(提高) privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.

The flags setuid and setgid are needed for tasks that require different privileges than what the user is normally granted, such as the ability to alter system files or databases to change their login password. Some of the tasks that require additional privileges may not immediately be obvious, though, such as the ping command, which must send and listen for control packets on a network interface.

——setuid

效果:

The setuid and setgid flags have different effects, depending on whether they are applied to a file, to a directory or binary executable or non binary executable file. The setuid and setgid flags have an effect only on binary executable files and not on scripts (e.g., Bash, Perl, Python).

set user ID,set group ID 设置用户ID,设置组ID。

设置了 setuid 的程序就是一个特权程序了,启动之后就是一个特权进程。

当特殊标志 s 这个字符出现在文件拥有者的 x 权限位的时候就叫 setuid,简称SUID,或SUID特殊权限。

例如:


$ ls -al /usr/bin/passwd 
-rwsr-xr-x 1 root root 68208 7月  15  2021 /usr/bin/passwd

$ file /usr/bin/passwd 
/usr/bin/passwd: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6af93256cb810d90b2f96fc052b05b43b954f5b2, for GNU/Linux 3.2.0, stripped

SUID,SGID用途

一般,以 root 启动的程序都是超级进程,是一些重要的服务程序。

有时候我们经常是以普通用户来执行程序的,例如 www 用户。

但有时候普通进程需要访问一些特殊的资源,这时就需要提升权限来访问。

例如:linux 下 shadow 文件(包含系统用户密码信息),普通用户是无法查看,修改,删除的。但是 root 可以。


laradock@3a6c2da5a07b:/var/www$ cat /etc/shadow
cat: /etc/shadow: Permission denied

laradock@3a6c2da5a07b:/var/www$ ls -al /etc/shadow
-rw-r----- 1 root shadow 557 Jan 21 16:07 /etc/shadow

普通用户 laradock 可以通过 /usr/bin/passwd 这个 ELF 可执行文件修改 /etc/shadow 文件,因为普通用户拥有 /usr/bin/passwd 的可执行权限,并且 /usr/bin/passwd 是 SUID 特权程序,拥有 /etc/shadow 的读写权限。

如何设置 SUID

在可执行文件的权限 x 位上设置 chmod u/g/o + s elf file

在编写特权进程时,提权访问资源之后一定要把权限改回来。

PHP 示例:

<?php

$file = "pwd.txt";
$uid = posix_getuid();
$euid = posix_geteuid();

fprintf(STDOUT, "uid=%d,euid=%d\n", $uid, $euid);

// 这样设置是不行的
// 为啥不行?
// Set the effective user ID of the current process. This is a privileged function and needs appropriate privileges (usually root) on the system to be able to perform this function.
posix_setuid($uid);
posix_seteuid($euid);

$uid = posix_getuid();
$euid = posix_geteuid();

fprintf(STDOUT, "uid=%d,euid=%d\n", $uid, $euid);

if (posix_access($file,POSIX_W_OK)){

    fprintf(STDOUT,"我能修改...\n");
    $fd = fopen($file,"a");
    fwrite($fd,"php is the best ?\n");
    fclose($fd);

}else{
    fprintf(STDOUT,"我不能修改此文件...\n");
}

posix_access/access 检查用户是否对指定文件拥有某个权限。

提权前:


$ php demo10.php
uid=1000,euid=1000
uid=1000,euid=1000
我不能修改此文件...

$ cat pwd.txt

chmod u+s /usr/bin/php 提权后:


$ php demo10.php
uid=1000,euid=0
uid=0,euid=0
我能修改...

$ cat pwd.txt 
php is the best ?