SetUID Programs: passwd, sudo, …#

Problem: Change My Password#

  • /etc/passwd: Unix user database

    /etc/passwd structure#
    $ grep jfasch /etc/passwd
jfasch:x:1000:1000:Joerg Faschingbauer:/home/jfasch:/bin/bash
    /etc/passwd permissions#
    $ ls -l /etc/passwd
-rw-r--r--. 1 root root 2691 Nov  2 10:01 /etc/passwd

    ⟶ not writeable

  • Column 1 - "x" - means “Encrypted password is in /etc/shadow” ⟶ no need to write /etc/passwd, alas

    /etc/shadow permissions#
    $ ls -l /etc/shadow
----------. 1 root root 1317 Nov  2 10:01 /etc/shadow

    not even readable!

  • Problem: I cannot change my password

    Only root can do that

  • Solution: ask root to change my password

    Send the output of this command to root, and ask her to enter it into /etc/shadow:

    $ openssl passwd -6 -salt my-cool-salt
Password: <... enter cleartext password ...>
$6$my-cool-salt$MDMCKQvPfaqqUqyPVZjjkIhsBKKcNIOgKNXtiOBvBFw8u7zUF3.0g2RQR9CnyDnQQ5Unt/Wpu8jyZeUXKTApl0

  • Problem: imagine 100 users doing this per day ⟶ root burnout!

Solution: Set-UID Bit#

Note

First off: ugly hack with severe security implications

  • Turns out I (as jfasch) can change my password

    $ passwd
Changing password for user jfasch.
Current password:
New password:
Retype new password:

    ⟶ Done!

  • How come? ⟶ Set-UID

    $ which passwd
/usr/bin/passwd
[jfasch@fedora ~]
$ ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 32712 Jan 30  2021 /usr/bin/passwd

    ⟶ “s”, a-ha

Set-UID: How Does It Work?#

  • Another bit in the “mode” bitmask

  • When that bit (the set-UID bit) is set, the process’s effective user ID becomes that of the owner of the file program

    • In the case of /usr/bin/passwd, this would be root (UID: 0)

    • A program owned by jfasch would run with that user’s privileges, no matter who executed it

Command: chmod#

$ chmod 4755 program

… or …

$ chmod u+s program

Set-UID Is Not A Toy!#

See SetUID: Live Demo