/i/2004763582.png?fit=%2C&ssl=1)
Edit: thanks of us, I do know you are able to do issues there as different customers/admin/root; the query is what it does technically. In different phrases, how does su(do) do this? What does a sudo different appear to be?
There are a number of implementations of su, however they typically work equally. I am going to get this model I am util-linux for reference, since that is the model I am operating right here on Ubuntu; so that is su however not sudo. sudo does just about what su does, however has a complete bunch extra choices to transparently or not transparently run sure instructions for sure teams and customers.
To start with, the command line arguments are learn in and it’s decided what must be carried out. Then the secure loading of the mandatory configuration recordsdata is prepared, and the particular enter machine is appeared up in order that it may be learn straight from it (in order that injection assaults are much less seemingly and you can not simply pipe your password to su).
Then the knowledge of the present and the specified consumer is requested and validated. That is used to carry out the authentication (learn: the password or your fingerprint or your good card is validated).
The proper shell is then appeared up, if mandatory, a name to initgroups() is finished to replace the group checklist from the file system. The required useful resource limits (see for instance right here) are up to date for the brand new consumer and a session is opened by way of PAM in order that the system is able to swap identities.
Then the method is forked so that there’s a little one course of and a su-process that retains a watch on issues and in order that the mandatory previous information might be cleaned up. The kid course of is used to really swap customers.
Then they name setgid() in settime() On. These APIs are solely out there inside binaries with a particular file system attribute (SUID for setuid, SGID for setgroupid). They inform the kernel to change the method checklist and regulate permissions and privileges in order that the method runs as a special consumer and group from then on. su and to some extent sudo are actually nearly calling these two APIs appropriately.
Now that the method is operating because the supposed consumer, the setting is modified (in order that $HOME and the like are right) and this system adjustments the present listing to the house listing.
If a command is given it is going to now be executed, if not this system calls the default shell by way of execv(). execv replaces the method in reminiscence (hundreds a brand new picture, calls its primary(), clears all reminiscence and such from the present course of) and thus doesn’t create a baby course of. That is the place su ends until execv fails after which simply prints an error message.
You can also make your personal su pretty simply. It’s essential to name the API to validate the consumer, then name the APIs for UID and GID, and also you’re principally there. In actual fact, validating customers is technically optionally available! In case your binary has the mandatory attributes, you’ll be able to name setuid and setguid instantly!
There’s a number of accounting and C-APIs concerned with the conventional instruments and the order of issues is extraordinarily vital; combine up the order and you might unintentionally give everybody root privileges!
You may get a extra detailed rationalization of how you might implement this in Rust discover right here. Thoughts you, this weblog makes use of fairly an… attention-grabbing type, if that is an excessive amount of for you you’ll be able to at all times learn the C code of su and sudo.
[Reactie gewijzigd door GertMenkel op 1 mei 2023 10:10]
