Elevate privileges of running process

Question

Is there a way for one process (such as an executable or bash script) to elevate the privileges of another, running, process? e.g. If I have a program running as normal user user, is it possible for another process, running as root to elevate the privileges of the first as if it had been run as root originally?

I have seen exploits modify the credential struct of a process to perform this, but I'm not sure if there's a way to do this more legitimately.

Looking further into this, it appears that there is no way to do this without installing a kernel module; essentially a rootkit. The kind of thing I want is demonstrated here.

Your question is a bit unclear. Is this what you attempt to do? [Change owner of a currently running process](https://stackoverflow.com/questions/37401774/change-owner-of-a-currently-running-process) — kvantour, Feb 11 '20 at 15:03

score 8 · Answer 1 · answered Feb 05 '20 at 11:27

8

No, these properties of a process cannot be altered after it starts.

answered Feb 05 '20 at 11:27

tripleee

175,061
34
275
318

1

In this paper (https://labs.f-secure.com/assets/BlogFiles/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf) a vulnerable kernel driver is used to edit a processes own cred struct, in order to execute a shell as the superuser. Is there no legitimate way to recreate this? – clubby789 Feb 05 '20 at 11:29

score 5 · Answer 2 · answered Feb 05 '20 at 11:31

No. The only way to elevate a process’s privileges is by execing a setuid binary (such as /usr/bin/sudo); you can’t do it to an already running process.

You can, however, ask sudo to copy a file to a temporary path, launch your editor with your own privileges on the temporary path, and then copy the result back in place as root:

sudo -e filename

score 3 · Accepted Answer · answered Sep 15 '20 at 13:00

This is possible, but only at Ring 0, using the commit_creds(prepare_creds(0)), which will update the task struct associated with the userland process, setting UID/GUID to 0. This is only possible with code already running in Ring 0, such as a Kernel module/rootkit or kernel exploit. An example of how this may be done is here.

Ced · Answer 4 · 2020-02-08T19:14:58.197

0

You could start a new process using sudo, but starting a new instance with higher permissions will always result in a new process being created. It's not possible to grant additional permissions to an already running process.

edited Feb 08 '20 at 19:14

answered Feb 07 '20 at 22:22

Ced

1,293
5
23
34

Elevate privileges of running process

4 Answers4