| |
| Title: |
Dimke Root-Shell |
|
| Explanation: |
When you are working as an administrator and you are responsible for some servers, then there is always a little risk that not only you have the root password. Someone may also know it, and use it to spoil your work.
This can be easily done by changing the root password without telling the new one to you. In other words, to keep you out. So, whatever happens, you cannot even intervene if something does not run properly any more.
In such a case it is essential to have at least one working backdoor to re-gain root-access again, and to be able to restore or set the root password and repair the system. This can be done via different ways, like private/public key based ssh login, or using any kind of service running under root as a vector to pass commands to the system.
Or, having a hidden root shell by hand. And this will be discussed in the following section.
|
|
| How it works: |
The idea behind is the following:
When any binary executable has its SUID-bit set, this means, that when executed, it will run under exactly the user id which is assigned to the file, no matter who runs it.
The only prerequisit is, that this user has the permission to run the app at all. So, setting the SUID bit, assigning user=root, and make it executable for a certain group of users, i.e., setting group to the privileged users' group's name and mark it executable for this group, the members of this group can execute the program and it will run under root.
And, simply said, that's all the magic behind.
One additional note: Be careful when setting the rights, expecially be sure that the executable flag for user others is not set, i.e., that you do a chmod 4710 and not 4711, since in this case, everyone could run this rootshell and expose you system to an unknown risk.
Later on, we will see, that there is no need to implement a whole shell with all locales, man pages etc, since it will do the trick to just invoke any desired existing shell like csh, korn-shell, or bash from this app.
The shell will inherit the rights from the calling app, and hence, it will also run under UID 0, i.e. root.
First, create a file "rootshell.c" like this:
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
char *SHELL = "/bin/sh";
void main ( void ) {
setreuid ( geteuid () , getuid () );
system ( SHELL );
}
Then compile it:
gcc rootshell.c -o rootshell
Then login as root and set the rights to fit the conditions mentioned above:
$ chown root:test1 rootshell ; chmod 4710 rootshell
$ ls -la rootshell
-rws--x--- 1 root test1 10471 Sep 10 13:26 rootshell*
|
|
| How to use: |
Now, you're almost done. The rootshell is ready to use and can be moved to any location you like.
You may find it helpful to rename it to a less meaningful name, or even make it a dot-file to be invisible to users who just view the file system with ls without the -a option.
Running it, in this case you have to be a member of the test1 group, will show something like this:
$ id
uid=1011(test1) gid=1011(test1) Gruppen=1011(test1)
$ ./rootshell
sh-4.3# id
uid=0(root) gid=1011(test1) Gruppen=1011(test1)
sh-4.3# exit
That's all.
|
|
|