reverted to the old exec way
this branch will contain a version of us which doesn't use a subshell as a proxy but directly applies the privilege escalation to the command
This commit is contained in:
parent
a666081599
commit
72c217d74a
11
TODO
11
TODO
@ -4,4 +4,13 @@
|
||||
* SHELL -> to the target user's SHELL
|
||||
* HOME -> to the target user's HOME
|
||||
|
||||
- Reconsider executing programs in a subshell
|
||||
- fork before exec, that is because processes might try to kill us or the
|
||||
command but since they may run under elevated privileges they will get
|
||||
permission denied error. If we remain the parent processes, unprivileged
|
||||
proceses can send signals to us and we will relay them to our children
|
||||
running at the same privilege as us. This is useful when:
|
||||
- The child command hangs and we want to cose it, kinda
|
||||
problematic but we could run kill with us as well
|
||||
- The parent shell dies and children need to be killed, then
|
||||
since one of their children (us) has higher privileges
|
||||
they can't kill us and we would end up as zombies
|
||||
|
||||
44
us.c
44
us.c
@ -103,22 +103,35 @@ int main (int argc, char *argv[])
|
||||
shell = "/bin/sh";
|
||||
|
||||
/* Set argc and argv */
|
||||
char *command = NULL;
|
||||
int size, popind = optind;
|
||||
if (argc - optind) {
|
||||
for (size = 0; optind < argc; optind++)
|
||||
size += strlen(argv[optind]) + 1;
|
||||
command = malloc(sizeof(char) * size + 1);
|
||||
if (!command) {
|
||||
int c_argc = argc - optind;
|
||||
char **c_argv;
|
||||
if (c_argc) {
|
||||
c_argv = malloc(sizeof(char *) * (c_argc + 1));
|
||||
if (!c_argv) {
|
||||
fprintf(stderr, "malloc: %s\n", strerror(errno));
|
||||
exit(errno);
|
||||
}
|
||||
memset(command, 0, size + 1);
|
||||
for (optind = popind; optind < argc; optind++) {
|
||||
strcat(command, argv[optind]);
|
||||
strcat(command, " ");
|
||||
for (int i = 0; optind < argc; optind++, i++) {
|
||||
c_argv[i] = strdup(argv[optind]);
|
||||
if (!c_argv[i]) {
|
||||
fprintf(stderr, "strdup: %s\n", strerror(errno));
|
||||
exit(errno);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
c_argc = 1;
|
||||
c_argv = malloc(sizeof(char *) * (c_argc + 1));
|
||||
if (!c_argv) {
|
||||
fprintf(stderr, "malloc: %s\n", strerror(errno));
|
||||
exit(errno);
|
||||
}
|
||||
c_argv[0] = strdup(shell);
|
||||
if (!c_argv[0]) {
|
||||
fprintf(stderr, "strdup: %s\n", strerror(errno));
|
||||
exit(errno);
|
||||
}
|
||||
}
|
||||
c_argv[c_argc] = NULL;
|
||||
|
||||
/* Authenticate */
|
||||
if (authenticate(uname) != PAM_SUCCESS)
|
||||
@ -135,17 +148,16 @@ int main (int argc, char *argv[])
|
||||
|
||||
/* Execute the command */
|
||||
int err;
|
||||
if (command)
|
||||
err = execl(shell, shell, "-c", command, (char *)NULL);
|
||||
else
|
||||
err = execl(shell, shell, (char *)NULL);
|
||||
err = execvp(c_argv[0], c_argv);
|
||||
if (err == -1)
|
||||
fprintf(stderr, "execl: %s\n", strerror(errno));
|
||||
|
||||
/* Cleanup and return */
|
||||
fail_end:
|
||||
/* Free up the copied argv */
|
||||
free(command);
|
||||
for (int i=0; c_argv[i]; i++)
|
||||
free(c_argv[i]);
|
||||
free(c_argv);
|
||||
return errno;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user