I was wondering if there is a way to drop privileges using a suid binary (using Ubuntu 18.04). Look:
# cp /bin/bash .
# chown www-data bash
# chmod 4700 bash
# ls -lh
-rws------ 1 www-data root 1,1M abr 4 2018 bash
# ./bash
# id
uid=0(root) gid=0(root) groups=0(root)
Is there an explanation of why one can gain privileges but not drop them with suid binaries?
You may be wondering what I'm trying to accomplish, but it's only to learn.
Thanks!
This works in the general case:
# cp /usr/bin/id .
# chown www-data id
# chmod 4700 id
# ./id
uid=0(root) gid=0(root) euid=33(www-data) groups=0(root)
bash is a special case. From the "INVOCATION" section of bash manual, with added emphasis on the relevant portion:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the
-poption is not supplied, no startup files are read, shell functions are not inherited from the environment, theSHELLOPTS,BASHOPTS,CDPATH, andGLOBIGNOREvariables, if they appear in the environment, are ignored, and the effective user id is set to the real user id. If the-poption is supplied at invocation, the startup behavior is the same, but the effective user id is not reset.
Passing the -p (privileged) flag will indeed suppress this behavior:
# cp /bin/bash .
# chown www-data bash
# chmod 4700 bash
# ./bash -p
bash-4.4$ id
uid=0(root) gid=0(root) euid=33(www-data) groups=0(root)