reverted to the old exec way

this branch will contain a version of us which doesn't use a subshell as a proxy but directly applies the privilege escalation to the command
4 years ago · 72c217d74a
parent a666081599
commit 72c217d74a
2 changed files with 38 additions and 17 deletions
--- a/11
+++ b/11
@ -4,4 +4,13 @@
 	* SHELL -> to the target user's SHELL
 	* HOME -> to the target user's HOME

- Reconsider executing programs in a subshell
+- fork before exec, that is because processes might try to kill us or the 
+	command but since they may run under elevated privileges they will get
+	permission denied error. If we remain the parent processes, unprivileged
+	proceses can send signals to us and we will relay them to our children
+	running at the same privilege as us. This is useful when:
+		- The child command hangs and we want to cose it, kinda
+			problematic but we could run kill with us as well
+		- The parent shell dies and children need to be killed, then 
+			since one of their children (us) has higher privileges
+			they can't kill us and we would end up as zombies
--- a/us.c
+++ b/us.c
@ -103,22 +103,35 @@ int main (int argc, char *argv[])
 		shell = "/bin/sh";

 	/* Set argc and argv */
-	char *command = NULL;
-	int size, popind = optind;
-	if (argc - optind) {
-		for (size = 0; optind < argc; optind++)
-			size += strlen(argv[optind]) + 1;
-		command = malloc(sizeof(char) * size + 1);
-		if (!command) {
+	int c_argc = argc - optind;
+	char **c_argv;
+	if (c_argc) {
+		c_argv = malloc(sizeof(char *) * (c_argc + 1));
+		if (!c_argv) {
 			fprintf(stderr, "malloc: %s\n", strerror(errno));
 			exit(errno);
 		}
-		memset(command, 0, size + 1);
-		for (optind = popind; optind < argc; optind++) {
-			strcat(command, argv[optind]);
-			strcat(command, " ");
+		for (int i = 0; optind < argc; optind++, i++) {
+			c_argv[i] = strdup(argv[optind]);
+			if (!c_argv[i]) {
+				fprintf(stderr, "strdup: %s\n", strerror(errno));
+				exit(errno);
+			}
+		}
+	} else {
+		c_argc = 1;
+		c_argv = malloc(sizeof(char *) * (c_argc + 1));
+		if (!c_argv) {
+			fprintf(stderr, "malloc: %s\n", strerror(errno));
+			exit(errno);
+		}
+		c_argv[0] = strdup(shell);
+		if (!c_argv[0]) {
+			fprintf(stderr, "strdup: %s\n", strerror(errno));
+			exit(errno);
 		}
 	}
+	c_argv[c_argc] = NULL;

 	/* Authenticate */
 	if (authenticate(uname) != PAM_SUCCESS)
@ -135,17 +148,16 @@ int main (int argc, char *argv[])

 	/* Execute the command */
 	int err;
-	if (command)
-		err = execl(shell, shell, "-c", command, (char *)NULL);
-	else
-		err = execl(shell, shell, (char *)NULL);
+	err = execvp(c_argv[0], c_argv);
 	if (err == -1)
 		fprintf(stderr, "execl: %s\n", strerror(errno));

 	/* Cleanup and return */
 	fail_end:
 	/* Free up the copied argv */
-	free(command);
+	for (int i=0; c_argv[i]; i++)
+		free(c_argv[i]);
+	free(c_argv);
 	return errno;
 }