Skip to content

Filesystem security - SETUID bit

USB port and the setuid bit

Context

In this laboratory, we will explore the security implications of the setuid bit in Linux filesystems. You have a USB stick connected to your NanoPi device.

The program readShadow is on this USB stick. This program has the setuid bit set and the owner is root, his rights are rwsr-xr-x.

You are connected to the NanoPi as user test1 (not root) and you can execute the readShadow (on the USB stick) program. Because the setuid bit is set, you are able to read the /etc/shadow file.

Tasks

On your host machine (not on the NanoPi):

  1. Format a USB stick as ext4
  2. Get the readShadow.c program from here, this program can read and show the /etc/shadow file
  3. Compile the readShadow.c program as it can work on the NanoPi (cross-compile) and copy it to the USB stick

On your NanoPi:

  1. Modify your buildroot in such a way that you can mount the USB stick (ext4 filesystem support)
  2. Flash the new buildroot sdcard image on your NanoPi and boot it
  3. Mount the USB stick on the NanoPi (this has to be done as root). E.g. mount /dev/sda1 /mnt
  4. Create a user test1 (if not already done)
  5. Login as user test1 (not as root)
  6. Execute the readShadow program from the USB stick. You should be able to visualize the content of the /etc/shadow file

Questions

  1. How is it possible that user test1 can read the /etc/shadow file even if he has no rights to read this file? Explain the concept of the setuid bit and how it works in this context.
  2. Describe a way to protect the system against this kind of attack.