reverted to the old exec way

this branch will contain a version of us which doesn't use a subshell as
a proxy but directly applies the privilege escalation to the command
noproxy
Alessandro Mauri 4 years ago
parent a666081599
commit 72c217d74a
  1. 11
      TODO
  2. 44
      us.c

11
TODO

@ -4,4 +4,13 @@
* SHELL -> to the target user's SHELL * SHELL -> to the target user's SHELL
* HOME -> to the target user's HOME * HOME -> to the target user's HOME
- Reconsider executing programs in a subshell - fork before exec, that is because processes might try to kill us or the
command but since they may run under elevated privileges they will get
permission denied error. If we remain the parent processes, unprivileged
proceses can send signals to us and we will relay them to our children
running at the same privilege as us. This is useful when:
- The child command hangs and we want to cose it, kinda
problematic but we could run kill with us as well
- The parent shell dies and children need to be killed, then
since one of their children (us) has higher privileges
they can't kill us and we would end up as zombies

44
us.c

@ -103,22 +103,35 @@ int main (int argc, char *argv[])
shell = "/bin/sh"; shell = "/bin/sh";
/* Set argc and argv */ /* Set argc and argv */
char *command = NULL; int c_argc = argc - optind;
int size, popind = optind; char **c_argv;
if (argc - optind) { if (c_argc) {
for (size = 0; optind < argc; optind++) c_argv = malloc(sizeof(char *) * (c_argc + 1));
size += strlen(argv[optind]) + 1; if (!c_argv) {
command = malloc(sizeof(char) * size + 1);
if (!command) {
fprintf(stderr, "malloc: %s\n", strerror(errno)); fprintf(stderr, "malloc: %s\n", strerror(errno));
exit(errno); exit(errno);
} }
memset(command, 0, size + 1); for (int i = 0; optind < argc; optind++, i++) {
for (optind = popind; optind < argc; optind++) { c_argv[i] = strdup(argv[optind]);
strcat(command, argv[optind]); if (!c_argv[i]) {
strcat(command, " "); fprintf(stderr, "strdup: %s\n", strerror(errno));
exit(errno);
}
}
} else {
c_argc = 1;
c_argv = malloc(sizeof(char *) * (c_argc + 1));
if (!c_argv) {
fprintf(stderr, "malloc: %s\n", strerror(errno));
exit(errno);
}
c_argv[0] = strdup(shell);
if (!c_argv[0]) {
fprintf(stderr, "strdup: %s\n", strerror(errno));
exit(errno);
} }
} }
c_argv[c_argc] = NULL;
/* Authenticate */ /* Authenticate */
if (authenticate(uname) != PAM_SUCCESS) if (authenticate(uname) != PAM_SUCCESS)
@ -135,17 +148,16 @@ int main (int argc, char *argv[])
/* Execute the command */ /* Execute the command */
int err; int err;
if (command) err = execvp(c_argv[0], c_argv);
err = execl(shell, shell, "-c", command, (char *)NULL);
else
err = execl(shell, shell, (char *)NULL);
if (err == -1) if (err == -1)
fprintf(stderr, "execl: %s\n", strerror(errno)); fprintf(stderr, "execl: %s\n", strerror(errno));
/* Cleanup and return */ /* Cleanup and return */
fail_end: fail_end:
/* Free up the copied argv */ /* Free up the copied argv */
free(command); for (int i=0; c_argv[i]; i++)
free(c_argv[i]);
free(c_argv);
return errno; return errno;
} }

Loading…
Cancel
Save