This commit is contained in:
Leo
4
sheet05/a3/a.txt
Normal file
4
sheet05/a3/a.txt
Normal file
@@ -0,0 +1,4 @@
|
||||
Passwords are stored in the /etc/shadow file, which is restricted to the root user.
|
||||
A standard user cannot write to it directly. However, the passwd executable is owned by root and has the SUID permission set.
|
||||
When a standard user runs passwd, the SUID bit tells the system to execute the program with the privileges of root,
|
||||
giving the program the temporary permissions to update /etc/shadow
|
||||
5
sheet05/a3/b.txt
Normal file
5
sheet05/a3/b.txt
Normal file
@@ -0,0 +1,5 @@
|
||||
The script runs with root privileges because the setuid bit is set.
|
||||
Since it just asks for a username and saves the new hash to /etc/shadow,
|
||||
and there is no validation checking if the user running the program is actually changing their own password,
|
||||
someone could simply run the program, type root as the username, and set a new password for the root user.
|
||||
The script would then overwrite the actual root password in /etc/shadow.
|
||||
Reference in New Issue
Block a user