I stumbled on a problem about accessing system files with suid executables.
I wrote this short POC:
#include <unistd.h>
#include <stdio.h>
int main()
{
if (access("/etc/shadow", W_OK) == 0)
printf("shadow writable!\n");
else
printf("shadow not writable\n");
return 0;
}
then i compiled and gave it the suid with chown root:root and chmod u+s (ran by root)
this is the resulting executable
-rwsrwxr-x 1 root root 4847 Apr 14 08:40 a.out
the target file has these rights
-rw------- 1 root root 1836 Oct 8 2014 /etc/shadow
When I ran the program, it gave this output:
[d.berra@srvr ~]$ ./a.out
shadow not writable
Why does this happen? I mean... I'm accessing the file as root and root CAN write on this file!
Note: selinux is disabled
ideas?
From access:
The check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actually attempting an operation (e.g., open(2)) on the file. This allows set-user-ID programs to easily determine the invoking user's authority.
So you can successfully open this file for writing, because your effective UID and filesystem UID is now 0, but access will still return error.
As @nos noted, you forgot to change executable owner to root:
$ sudo chown root:root ./a.out
But even if you do that, you wil still get "not writable" due to access behavior:
$ ls -l ./a.out
-rwsr-xr-x 1 root root 12651 Apr 14 09:53 ./a.out
$ ./a.out
shadow not writable