2.5 Task 5: Environment variable and Set-UID Programs Set-UID is an important se
ID: 3703870 • Letter: 2
Question
2.5 Task 5: Environment variable and Set-UID Programs
Set-UID is an important security mechanism in Unix operating systems. When a Set-UID program runs, it assumes the owner’s privileges. For example, if the program’s owner is root, then when anyone runs this program, the program gains the root’s privileges during its execution. Set-UID allows us to do many interesting things, but it escalates the user’s privilege when executed, making it quite risky. Although the behaviors of Set-UID programs are decided by their program logic, not by users, users can indeed affect the behaviors via environment variables. To understand how Set-UID programs are affected, let us first figure out whether environment variables are inherited by the Set-UID program’s process from the user’s process.
Step 1.
process.
We are going to write a program that can print out all the environment variables in the current
void main() {
i++; }
}
Step 2. Step 3.
Compile the above program, change its ownership to root, and make it a Set-UID program. In your Bash shell (you need to be in a normal user account, not the root account), use the
export command to set the following environment variables (they may have already exist): • PATH
• LD LIBRARY PATH
• ANY NAME (this is an environment variable defined by you, so pick whatever name you want).
These environment variables are set in the user’s shell process. Now, run the Set-UID program from Step 2 in your shell. After you type the name of the program in your shell, the shell forks a child process, and uses the child process to run the program. Please check whether all the environment variables you set in the shell process (parent) get into the Set-UID child process. Describe your observation. If there are surprises to you, describe them.
Explanation / Answer
Malware@Malware123:~/prog$
Malware@Malware123:~/prog$ ./a.out
XDG_VTNR=7
LC_PAPER=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
XDG_SESSION_ID=c2
XDG_GREETER_DATA_DIR=/var/lib/lightdm-data/Malware
SELINUX_INIT=YES
LC_MONETARY=en_US.UTF-8
CLUTTER_IM_MODULE=xim
SESSION=ubuntu
GPG_AGENT_INFO=/run/user/1000/keyring-yxqyKe/gpg:0:1
TERM=xterm
VTE_VERSION=3409
XDG_MENU_PREFIX=gnome-
SHELL=/bin/bash
WINDOWID=65011723
LC_NUMERIC=en_US.UTF-8
UPSTART_SESSION=unix:abstract=/com/ubuntu/upstart-session/1000/1659
GNOME_KEYRING_CONTROL=/run/user/1000/keyring-yxqyKe
GTK_MODULES=overlay-scrollbar:unity-gtk-module
USER=Malware
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
LC_TELEPHONE=en_US.UTF-8
XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
SSH_AUTH_SOCK=/run/user/1000/keyring-yxqyKe/ssh
DEFAULTS_PATH=/usr/share/gconf/ubuntu.default.path
SESSION_MANAGER=local/Malware123:@/tmp/.ICE-unix/1838,unix/Malware123:/tmp/.ICE-unix/1838
XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/usr/share/upstart/xdg:/etc/xdg
DESKTOP_SESSION=ubuntu
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
QT_IM_MODULE=ibus
QT_QPA_PLATFORMTHEME=appmenu-qt5
LC_IDENTIFICATION=en_US.UTF-8
PWD=/home/Malware/prog
JOB=dbus
XMODIFIERS=@im=ibus
GNOME_KEYRING_PID=1650
LANG=en_US.UTF-8
GDM_LANG=en_US
MANDATORY_PATH=/usr/share/gconf/ubuntu.mandatory.path
LC_MEASUREMENT=en_US.UTF-8
COMPIZ_CONFIG_PROFILE=ubuntu
IM_CONFIG_PHASE=1
GDMSESSION=ubuntu
SESSIONTYPE=gnome-session
SHLVL=1
HOME=/home/Malware
XDG_SEAT=seat0
LANGUAGE=en_US:en
GNOME_DESKTOP_SESSION_ID=this-is-deprecated
LOGNAME=Malware
COMPIZ_BIN_PATH=/usr/bin/
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-7wv6DfJOTK
XDG_DATA_DIRS=/usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/
QT4_IM_MODULE=xim
LESSOPEN=| /usr/bin/lesspipe %s
INSTANCE=
TEXTDOMAIN=im-config
XDG_RUNTIME_DIR=/run/user/1000
DISPLAY=:0
XDG_CURRENT_DESKTOP=Unity
GTK_IM_MODULE=ibus
LESSCLOSE=/usr/bin/lesspipe %s %s
LC_TIME=en_US.UTF-8
TEXTDOMAINDIR=/usr/share/locale/
LC_NAME=en_US.UTF-8
XAUTHORITY=/home/Malware/.Xauthority
COLORTERM=gnome-terminal
_=./a.out
OLDPWD=/home/Malware/prog/cpp
Malware@Malware123:~/prog$
Malware@Malware123:~/prog$ ls -l file.c
-rw-rw-r-- 1 Malware Malware 158 Apr 10 01:52 file.c
Malware@Malware123:~/prog$ sudo chown root file.c
[sudo] password for Malware:
Malware@Malware123:~/prog$ ls -l file.c
-rw-rw-r-- 1 root Malware 158 Apr 10 01:52 file.c
Malware@Malware123:~/prog$
Malware@Malware123:~/prog$ PATH=/usr/local/man/
Malware@Malware123:~/prog$ export PATH
Malware@Malware123:~/prog$
Malware@Malware123:~/prog$ LD_LIBRARY_PATH=/usr/share/
Malware@Malware123:~/prog$ export LD_LIBRARY_PATH
Malware@Malware123:~/prog$
Malware@Malware123:~/prog$ MYNAME=EXAMPLE
Malware@Malware123:~/prog$ export MYNAME
Malware@Malware123:~/prog$
Malware@Malware123:~/prog$
Malware@Malware123:~/prog$ ./a.out
XDG_VTNR=7
LC_PAPER=en_US.UTF-8
LC_ADDRESS=en_US.UTF-8
XDG_SESSION_ID=c2
XDG_GREETER_DATA_DIR=/var/lib/lightdm-data/Malware
SELINUX_INIT=YES
LC_MONETARY=en_US.UTF-8
CLUTTER_IM_MODULE=xim
SESSION=ubuntu
GPG_AGENT_INFO=/run/user/1000/keyring-yxqyKe/gpg:0:1
TERM=xterm
VTE_VERSION=3409
XDG_MENU_PREFIX=gnome-
SHELL=/bin/bash
WINDOWID=65011723
LC_NUMERIC=en_US.UTF-8
OLDPWD=/home/Malware/prog/cpp
UPSTART_SESSION=unix:abstract=/com/ubuntu/upstart-session/1000/1659
GNOME_KEYRING_CONTROL=/run/user/1000/keyring-yxqyKe
GTK_MODULES=overlay-scrollbar:unity-gtk-module
USER=Malware
LD_LIBRARY_PATH=/usr/share/
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
LC_TELEPHONE=en_US.UTF-8
XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
SSH_AUTH_SOCK=/run/user/1000/keyring-yxqyKe/ssh
DEFAULTS_PATH=/usr/share/gconf/ubuntu.default.path
SESSION_MANAGER=local/Malware123:@/tmp/.ICE-unix/1838,unix/Malware123:/tmp/.ICE-unix/1838
XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/usr/share/upstart/xdg:/etc/xdg
DESKTOP_SESSION=ubuntu
PATH=/usr/local/man/
QT_IM_MODULE=ibus
QT_QPA_PLATFORMTHEME=appmenu-qt5
LC_IDENTIFICATION=en_US.UTF-8
PWD=/home/Malware/prog
JOB=dbus
XMODIFIERS=@im=ibus
GNOME_KEYRING_PID=1650
LANG=en_US.UTF-8
GDM_LANG=en_US
MANDATORY_PATH=/usr/share/gconf/ubuntu.mandatory.path
LC_MEASUREMENT=en_US.UTF-8
COMPIZ_CONFIG_PROFILE=ubuntu
IM_CONFIG_PHASE=1
GDMSESSION=ubuntu
MYNAME=EXAMPLE
SESSIONTYPE=gnome-session
SHLVL=1
HOME=/home/Malware
XDG_SEAT=seat0
LANGUAGE=en_US:en
GNOME_DESKTOP_SESSION_ID=this-is-deprecated
LOGNAME=Malware
COMPIZ_BIN_PATH=/usr/bin/
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-7wv6DfJOTK
XDG_DATA_DIRS=/usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/
QT4_IM_MODULE=xim
LESSOPEN=| /usr/bin/lesspipe %s
INSTANCE=
TEXTDOMAIN=im-config
XDG_RUNTIME_DIR=/run/user/1000
DISPLAY=:0
XDG_CURRENT_DESKTOP=Unity
GTK_IM_MODULE=ibus
LESSCLOSE=/usr/bin/lesspipe %s %s
LC_TIME=en_US.UTF-8
TEXTDOMAINDIR=/usr/share/locale/
LC_NAME=en_US.UTF-8
XAUTHORITY=/home/Malware/.Xauthority
COLORTERM=gnome-terminal
_=./a.out
Malware@Malware123:~/prog$
Observation
We will get the value what we set for PATH, LD_LIBRARY_PATH and the user defined variable.
Explanation
We are changing the owership permission of the file to root. So that the file is now under the user root. If any non-root user tries to access the file, a new process will be forked with root permission and the file will be executed under root permission in that process.
Next, we are trying to set the environmental variable using export command. The export command sets the environmental variable for all the processes in the system. So even the root users will be accessing the new environmental variables set using the export command. That is why we are getting the value what we have set.
Ping me back for any doubts. Thanks.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.