Quote:
Originally Posted by
sreyan32
Just learning about the privilege escalation method provided by setuid. Correct me if I am wrong but what it does is change the uid of the current process to whatever uid I set. Right ?
Yes, if you have the rights to set the uid bit in the first place which you won't.
Quote:
So what stops me from writing my own C program and calling setuid(0) within it and gaining root privileges ?
If you could set the uid bit on your program you are only allowing it to run as you (which it would anyway). You cannot set your new executable to be owned by root.
Quote:
If a program has the setuid bit set and the owner as root then can't I just exec that program in to my process and use to wreak havoc ? Its the same problem of gaining root privileges ?
Yes, it will run with the privileges of the owner BUT only until that executable ends (and you won't be able to break out of it). After that, it reverts to your rights.
The purpose of setuid is as follows. Take the
/etc/passwd file which holds user account information. No ordinary user can be allowed to edit or delete that file, but wait a minute, an ordinary user needs to be allowed to change their own password which is stored (encrypted) in that file. So, simply, the command to change password can be run as root to achieve the password change but only until that command ends. Other than that, the ordinary user has no rights to the passwd file.