0

according to the answer in the reference: Can gdb debug suid root programs?

Claims that: "You can only debug a setuid or setgid program if the debugger is running as root. The kernel won't let you call ptrace on a program running with extra privileges. If it did, you would be able to make the program execute anything, which would effectively mean you could e.g. run a root shell by calling a debugger on /bin/su."

And I wanted to ask how can a normal user benefit from the debugger tool if he was given those privileges? how can we as a normal user can get to the root shell with the debugger tool?

I have a follow up question, according to the book "Computer & Internet Security" by Wenliang Du (Page 75, Conduct buffer overflow attack) He claims that if we compile a c language program like this:

$ gcc -z execstack -fno-stack-protector -g -o stack_dbg stack.c 
$ sudo chown root stack
$ sudo chmod 4755 stack

Cause the program to be a Set-UID program with option to be debugged by a normal user ,however, the normal user will not gain any privileges. Why? in the case the user can use debug tool, So why cant he use it to his own advantage?

linuxbeginner
  • 21
  • 4
  • If one can "debug" a process, one can write to the process's memory. One can write code to `execve` a shell. If `$USER` could debug a setuid program, it would be a setuid shell. Game over! – waltinator Apr 25 '22 at 20:27
  • 1
    No need to even write to the process’s memory, the debugger can call `system("/bin/sh")` directly. – Stephen Kitt Apr 25 '22 at 23:16
  • how exactly can the debugger can call system("/bin/sh") directly? – linuxbeginner Apr 26 '22 at 04:11
  • See [how to do it in `gdb`](https://sourceware.org/gdb/onlinedocs/gdb/Calling.html) (but that doesn’t explain how it’s implemented). – Stephen Kitt Apr 26 '22 at 11:56

0 Answers0