I wrote a program that calls setuid(0) and execve("/bin/bash",NULL,NULL).
Then I did chown root:root a.out && chmod +s a.out
When I execute ./a.out I get a root shell. However when I do gdb a.out it starts the process as normal user, and launches a user shell.
So… can I debug a setuid root program?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
You can only debug a setuid or setgid program if the debugger is running as root. The kernel won’t let you call ptrace on a program running with extra privileges. If it did, you would be able to make the program execute anything, which would effectively mean you could e.g. run a root shell by calling a debugger on /bin/su.
If you run Gdb as root, you’ll be able to run your program, but you’ll only be observing its behavior when run by root.
If you need to debug the program when it’s not started by root, start the program outside Gdb, make it pause in some fashion before getting to the troublesome part, and attach the process inside Gdb (at 1234 where 1234 is the process ID).
Method 2
Here’s a way to start the process in a stopped state if you will. Use a bash script doing:
echo $BASHPID; kill -STOP $BASHPID; exec sudo -u unpriviledged_user -g the_group_if_not_primary command
Make that run in the background.
Then start gdb, and attach to the pid that was printed.
You’ll have to step through the exec command with gdb, but you’ll be able to debug from the very beginning.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0