local-privilege-escalation.md (1127B)
1 +++ 2 title = 'Local privilege escalation' 3 +++ 4 # Local privilege escalation 5 UNIX permissions: 6 - read (or list files in directory) 7 - write (or create/delete files in directory) 8 - execute (or access files in directory) 9 10 Files are owned by user and group. 11 12 Three sets of permission bits for user, group, and others. 13 14 Processes: 15 - OS creates process for a running program 16 - state includes user on whose behalf it runs 17 - process can access files based on user 18 - user/group determined by: first shell for user who logged in, then inherited from parent processes 19 20 Impersonation: 21 - when user has legitimate need to access a secured file 22 - setuid/setgid bits: program runs on behalf of file owner 23 - a setuid process has multiple UIDs and GIDs: 24 - effective (EUID): for privilege checks, modified by setuid 25 - real (RUID): actual user, not modified by setuid 26 - saved (SUID): lets process return to old uid 27 - UID manipulation in C: 28 - `setuid(uid)`: sets RUID, EUID, and SUID to `uid` 29 - `seteuid(id)`: sets EUID to `uid` 30 - `setresuid(ruid, euid, suid)`: sets all three 31 - any target UID is allowed only if EUID is 0