I am making a Cydia app that has permission to install files. I need to be able to gain root access to /Applications for this. I have looked here, but it was a little unclear. Could anybody explain it a little better?
Thanks!
Asked
Active
Viewed 1,826 times
0
-
Check out [this answer, too](http://stackoverflow.com/a/8796556/119114) – Nate Mar 12 '13 at 01:26
2 Answers
2
Never use system with setuid! If, for example, a malicious individual were to change the PATH to be /tmp:$PATH, and this person added their own program to /tmp and named it "ls", then even running this simple code would give them root access to your device:
setuid(0); system("ls");
Instead, you should use the exec family of functions, but not execvp/execlp.
C0deH4cker
- 3,959
- 1
- 24
- 35
-
Another way around that problem is to fully-qualify the command you pass to `system()`, like `/bin/ls` instead of just `ls`. – Nate Mar 12 '13 at 01:23
-
-
If you're claiming that `export IFS=/` will turn the `/bin/ls` command into `bin ls`, which could run a malicious script named `bin` placed somewhere in the PATH ... no, it won't. I tried it on a jailbroken iPhone. Also tried `export IFS='/'`. That's a pretty old exploit, and it looks like the jailbroken iOS shell has that fixed. – Nate Mar 12 '13 at 04:14
-
@Nate: Why are you defending the use of `system` in setuid apps? It is known to be a total failure in terms of security. I just listed two examples of why it is a bad idea. Instead of trying to find hacky, unreliable workarounds, you should be learning a more secure alternative. Now just go back to using `gets`. – C0deH4cker Mar 13 '13 at 05:50
-
The PATH example doesn't apply if you fully-quality the command, as I said. And, I just offered feedback that I don't think the IFS exploit works, either. If I'm wrong, and you think it still does, I'm actually interested to hear how. But two flawed examples isn't much of a case. And, we're talking about a jailbroken device here. Security on jailbroken devices is already suspect, so I'm not sure why you're so worked up about this one. Oh, and [I've already learned about using exec functions](http://stackoverflow.com/a/14429668/119114), as I've mentioned in more than one of my answers. – Nate Mar 13 '13 at 06:46
1
you can use this
setuid( 0 );
system( "/path/to/script.sh" );
where path to script is a script in your app that would install files
or
setuid( 0 );
system( "cmd" );
where cmd is a command such as
setuid( 0 ); system( "echo Hello World" );
You can also log this way to the /tmp directory or any other place.
setuid( 0 ); system( "echo Hello World >> /tmp/install.log" );
setuid (0); gives it root access and system (cmd); is the actual command
Be careful on how you use this as root has access to everywhere.
