Workaround when setuid is ignored
June 29, 2023 —
BarryK
I posted about 'sudo-sh', a replacement for sudo:
https://bkhome.org/news/202306/light-weight-replacement-for-sudo.html
Then about electron-based apps ignoring the setuid bit on executables:
https://bkhome.org/news/202306/electron-ignores-suid-on-binaries.html
I have implemented a workaround. /usr/bin/sudo-sh.c now has this code at the beginning:
//the idea is that if sudo-sh setuid has been ignored (ex: electron app)
//then write the params to sudosh_pass file, which will be read by /root/Startup/sudo-sh-ipc
//which will call /usr/bin/sudo-sh as root, with the params.
int euid = geteuid();
if (euid != 0) {
char ipcfile[] = "/tmp/pup_event_ipc/sudosh_pass";
char outmsg[512];
int x;
//argv[0] is name of this prog, ignore that...
outmsg[0]=0;
for (x=1; x<argc; x++) {
strcat(outmsg,argv[x]);
strcat(outmsg," ");
}
int ipcdescr = open(ipcfile, O_WRONLY|O_APPEND); //|O_CREAT
if (ipcdescr > 0) {
int wr = write(ipcdescr,outmsg,strlen(outmsg));
close(ipcdescr);
}
//wait for ack from /root/Startup/sudo-sh-ipc...
system("inotifywait -q -q -t 2 -e modify /tmp/pup_event_ipc/sudosh_ack");
exit(0);
}
There is a daemon, /root/Startup/sudo-sh-ipc, that will execute the required setuid binary as the root user. Commit:
https://github.com/bkauler/woofq/commit/10e9cf0860c8df30fb105cedfc107636138d8cf3
Can't say that I'm happy with this. The workaround is a hack and
has some limitations.
Tags: easy