-4

I am trying to copy some files to a root user from a user with very low (almost no privileges). I need to allow someone with access to the low account copy some files onto the higher account. I have thought about using a bin/Bash script, but I don't want any password in the file to be viewed.

I decided to create a C++ application that has the password of the account I would like pass to the su/setuid commands. I do know the password can be viewed in the binary, but is not a concern. The password not in plain text is sufficient.

My problem is that I cannot figure out how to "login" as the user I need to update files for a service running in that account. I have the user account name, which is localadmin, and the password for that account. But how do I pass these to Linux to copy the files to the localadmin account home/subdirectory from the C++ application?

I have tried in C++:

system("su localadmin"); // This prompts for password, but not sure how to pass the password.

setuid(0); // Again, where do I pass the password to get the account privileges? All I get is an "operation not permitted".

I apologize if this is an easy question. I am just trying to run the commands as localadmin and be done.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Jay Ma
  • 65
  • 9
  • 1
    Recording the root password in your program is a poor idea for several reasons, including at least (1) it is possible to extract the password from the binary, and (2) your program breaks if the root password is changed. This is why programs that must provide elevated privileges to unprivileged users are normally set up as setuid-root, which is a function of their ownership and mode, not of their implementation. – John Bollinger Aug 02 '16 at 16:02
  • 1
    Sounds like an [XY problem](http://meta.stackexchange.com/q/66377). How about a common directory with an ACL (access control list) that gives the unprivileged user insert-only permissions? – Peter Aug 02 '16 at 16:07
  • @JohnBollinger, thanks for your response and very appreciative. I do understand the ramifications of embedding the password into a binary, but is not a concern. The person I am giving this to does not have that kind of knowledge. I just need this binary to perform all the commands as the root user. I was hoping to accomplish this just by giving them a binary. – Jay Ma Aug 02 '16 at 16:18
  • 1
    @JayMa: You missed the points! What if the password changes? Malware coan easily scan the binary for the password. Whatever you **need**, your approach is plain wrong! No excuses! – too honest for this site Aug 02 '16 at 16:28
  • @Olaf, Thanks for the information. I understand all that. This is a one shot update that I need perform. I have control of the root password, so no one will be changing it, especially on a remote system. I do need it to perform as said. I don't know any other way to copy files from an account that doesn't have access to the root account where everything has to be done from the low level account. – Jay Ma Aug 02 '16 at 16:36
  • You got quite some alternatives, all more preferable than your approach. @Peter is correct, that is an XY-problem and you picked the (almost) worst approach. – too honest for this site Aug 02 '16 at 16:38
  • @Olaf, I am truly open to any alternatives. Like I said, the main problem is that I don't know how to copy files from a low level account to an elevated account while logged in and from the low level account? I have to somehow execute the script/binary to copy the files without giving them any root passwords. If you have some ideas, please share, I would really appreciate (I am stuck). – Jay Ma Aug 02 '16 at 16:42
  • You need an unprivileged user to run certain commands as root, on a system that only they have access to, and they can't be trusted with the root credentials? There's literally no way to do this securely, as the unprivileged account must have the password at some point. Just write a script that uses `su` to pass the password, as in `http://stackoverflow.com/q/31125637/1401351`. Add a rot13 or something dumb so casual users can't read the password, and pray your user isn't sophisticated, and that no one intercepts this gaping security hole of a script. Maybe ask over at superuser? – Peter Aug 02 '16 at 22:11

2 Answers2

7

You don't need to supply a password. Make your application setuid root so that it runs with root permissions.

With root privileges, do the following:

chown root {program}
chmod 4755 {program}

Now your executable is owned by root and has the setuid bit set. So when any user runs it, it runs as root. Then the program can do what it needs to do.

When creating a setuid root program, special care needs to be taken to ensure that all inputs are properly sanitized to prevent buffer overflow or format string vulnerabilities. Also, if your program does more than just call another program, it should drop privileges when it starts using seteuid({callers_uid}), raise privileges when needed with seteuid(0), and drop them back down again when you're done.

If you only want particular users to run this program you can use sudo instead of making the program setuid root. A root user would need to update the /etc/sudoers file and add an entry for the user and program in question and include an option to not require a password.

For example:

user_name ALL = (root) NOPASSWD:program_to_run

Then the user can run:

sudo program_to_run

Then this user (and only this user) can run the program with root privileges to perform whatever it needs to do.

dbush
  • 205,898
  • 23
  • 218
  • 273
  • You beat me to it. However, it would be useful to add some commentary about what a potential security problem setuid-root programs can be. – John Bollinger Aug 02 '16 at 15:53
  • Thanks for the info, but I am simply giving this binary to someone with no linux experience and no privileges from the low account to execute. I need it to gain root privileges to copy the files to the root account sub directory. I was hoping to do this all in one binary executable. – Jay Ma Aug 02 '16 at 15:55
  • @JayMa: If they don't have privileges, and don't know the password to get them with `su`, then how are they supposed to gain the privileges? If you have the privileges, then you can create the setuid program on target machine and tell them about it. – Chris Dodd Aug 02 '16 at 15:59
  • @JayMa If you have root permissions on the system the user is on (or know who does), then you can set up the executable with the proper permissions and just let the user know where it is. – dbush Aug 02 '16 at 15:59
  • Thanks, @ChrisDodd, I have a root account on the system where I know the user/password combination. I don't have access to this system, just the root user/pass. I figured I would embed these into a binary to give the person to execute. This binary would theoretically have the information to perform the command by having the user/pass for root. In other words, I need to just give them this binary that has to do everything as if a root user. – Jay Ma Aug 02 '16 at 16:03
  • 1
    If you know the root password, simply log into the system, deploy your binary there, and give it the `setuid` with `chmod` (as well as `root` ownership). You will also need to give execute permission on it to everyone (or alternatively some group your user is a member of) Then your target user can execute this binary and become root for the duration of its execution without entering any passwords or your binary source code needing them. – Smeeheey Aug 02 '16 at 16:06
  • @Smeeheey, I don't have access to the system to log in. I need the binary to perform the commands as root. Again, just not sure if this is possible? – Jay Ma Aug 02 '16 at 16:10
  • @JayMa You mean you aren't able to get a login prompt on the system? Then you need to give the binary to someone that does and give them the steps to set it up setuid root so the user can use it. – dbush Aug 02 '16 at 16:11
  • @dbush, sorry for the confusion and really appreciative of your help. I physically don't have access to the system. The person that has access to the system can only log into the low level account. That account doesn't have any privileges. I was hoping to give the person with low level access this binary with root user/pass info the ability to perform the commands. – Jay Ma Aug 02 '16 at 16:16
0

I think you misunderstand how setuid generally works. There is no need to store any sort of password in your application: you just code it as normal to do what you need to do as if you were root. Once you have the binary (owned by root), you set its setuid privilege as an attribute of the binary using chmod.

After this executing the binary as any user permitted to execute it will promote them to root for the purposes of executing the binary's code. No password needs to be provided for this.

Note that you need to be careful with setuid programs: they can cause security problems due to their root privilege. It is best to keep them as simple and focussed as possible, doing the absolute minimum that actually requires root privileges, leaving other non-setuid programs to do any non-privileged work to minimise the potential exploitable bugs.

Smeeheey
  • 9,906
  • 23
  • 39
  • The OP proposes to use the `setuid()` function, which his program cannot successfully do without having privilege in the first place. Since the whole point is that users *don't* have privilege, that won't serve his need, but it is not a misunderstanding of setuid in the file mode sense. – John Bollinger Aug 02 '16 at 15:56
  • Thanks for the info, but I am simply giving this binary to someone with no linux experience and no privileges from the low account to execute. I need it to gain root privileges to copy the files to the root account sub directory. I was hoping to do this all in one binary executable. – Jay Ma Aug 02 '16 at 15:56
  • Once you set the `setuid` attribute on the binary anyone *can* execute it without privileges. The binary is what has the attribute, not users which need to use it. Think about how the linux `passwd` program works: anyone can use it to change their password, but it actually needs to become root to do so. This is achieved without the user entering the root password or having any special privileges: it is the `passwd` program itself which is privileged. – Smeeheey Aug 02 '16 at 16:00