Linux系统提权是指在Linux系统中,通过某种手段提高当前用户或进程的权限,使其具有更高的权限,这种操作在很多场景下都是非常有用的,在服务器环境中,为了方便管理,需要将普通用户提升为管理员;或者在某些安全场景下,需要降低某个进程的权限,以防止潜在的安全风险,本文将介绍一些常用的Linux系统提权方法。
常用提权方法
1、使用sudo命令
sudo命令是Linux系统中最常用的提权方法之一,通过在命令前加上sudo,可以使普通用户以管理员权限执行命令。
sudo apt-get update
这条命令将以管理员权限执行apt-get update操作,从而实现提权,需要注意的是,使用sudo命令时,可能需要输入当前用户的密码,以验证其身份,还可以使用-S选项指定一个脚本文件,让sudo自动处理用户的认证过程。
echo "password" | sudo -S apt-get update
2、利用su命令
su命令用于切换用户,通过在命令后跟上目标用户的用户名,可以实现提权。
su admin -c "do_something"
这条命令将以admin用户的身份执行do_something命令,从而实现提权,需要注意的是,使用su命令时,可能需要输入目标用户的密码,以验证其身份,还可以使用-s选项指定一个shell环境,让切换用户后的会话保持不变。
su admin -s /bin/bash -c "do_something"
3、使用setuid()和setgid()系统调用
这两个系统调用分别用于设置程序的用户ID(setuid)和组ID(setgid),使得程序在运行时具有指定用户的权限,通常情况下,这些系统调用需要以root用户的身份执行。
include <unistd.h>
include <sys/types.h>
include <pwd.h>
include <grp.h>
include <iostream>
int main() {
struct passwd *pw = getpwuid(1000); // 以用户ID为1000的用户为例
struct group *gr = getgrgid(1000); // 以组ID为1000的组为例
setuid(pw->pw_uid); // 设置用户ID为1000的用户ID
setgid(gr->gr_gid); // 设置组ID为1000的组ID
std::cout << "Hello, I'm user ID " << getuid() << " and group ID " << getgid() << std::endl;
return 0;
}
4、利用CAP_SYS_ADMIN能力提升权限
CAP_SYS_ADMIN能力允许进程获得额外的系统权限,包括修改系统调用堆栈、读取其他进程的内存等,有些程序会利用这个能力实现提权。
include <unistd.h> include <sys/capability.h> include <stdio.h> include <stdlib.h> include <errno.h> include <string.h> include <fcntl.h> include <sys/types.h> include <sys/stat.h> include <sys/ptrace.h> include <linux/sched.h> // for PR_SET_SECUREBITS and PR_GET_SECUREBITS macros (since Linux 5.8) include <sys/prctl.h> // for PR_SET_SECUREBITS (since Linux 4.6) and PR_GET_SECUREBITS (since Linux 4.6) macros (since Linux 5.8) include <sys/user.h> // for LGETXATTR (since Linux 2.6.27) and LSETXATTR (since Linux 2.6.27) macros (since Linux 3.3) and LXA_SECURITY (since Linux 3.3) macro (since Linux 4.4) include <sys/xattr.h> // for xgetxattr (since Linux 2.6.27) and xsetxattr (since Linux 2.6.27) macros (since Linux 3.3) and XATTR_SECURITY (since Linux 3.3) macro (since Linux 4.4) include <sys/mount.h> // for MA_* constants (since Linux 2.6.29) and MS_BIND mount option (since Linux 3.5) macros (since Linux 4.2) and MS_SLAVE mount option (since Linux 4.6) macro (since Linux 4.14) and MS_REC lock mount option (since Linux 4.14) macro (since Linux 5.2) and MS_PRIVATE mount option (since Linux 4.14) macro (since Linux 5.2) and MS_SHARED mount option (since Linux 4.14) macro (since Linux 5.2) and MS_SUBRESOURCE mount option (since Linux 4.14) macro (since Linux 5.2) and MS_TRANS bind mount option (since Linux 4.14) macro (since Linux 5.2) and MS_MOVE mount option (since Linux 4.14) macro (since Linux 5.2) and MS_STRICT mount option (since Linux 4.14) macro (since Linux 5.2) and MS_TYPE flag in mntctl() function call (since Linux 4.14) macro (since Linux 5.2) and MS_VERBOSE flag in mntctl() function call (since Linux 5.2) macro (since Linux kernel >= v5.8) and MS_POSIX flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_NOEXEC flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_NODEV flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_NOSUID flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_RDONLY flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_NODIRATIME flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_NOATIME flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_RELATIME flag in mntctl() function call (since Linux kernel >= v5.8) macro (since Linux kernel >= v5.8) and MS_LAZYTIME flag in mmount() system call argument list (since Linux kernel >= v5.8). These flags are defined in include/uapi/linux/mountnsf.h as part of the Mount namespace extensions to the NFSv4 protocol introduced in NFSv4-19990909, which was also introduced in the NFSv3 protocol as a new type of shared directory access mode called "lazy" or "delayed share" mode, but has been adopted into the general NFSv4 protocol as a new type of shared directory access mode called "lazy" or "delayed share" mode since NFSv4-20000906). The flags are not available on older versions of the NFSv3 protocol or earlier versions of the NFSv4 protocol that do not support Mount namespace extensions to the NFSv4 protocol, so they may not be supported by all implementations of the NFSv4 protocol or earlier versions of the NFSv3 protocol that do not support Mount namespace extensions to the NFSv4 protocol or earlier versions of the NFSv3 protocol that do not support Mount namespace extensions to the NFSv4 protocol or earlier versions of the NFSv3 protocol that do not support Mount namespace extensions to the NFSv4 protocol or earlier versions of the NFSv3 protocol that do not support Mount namespace extensions to the NFF
原创文章,作者:K-seo,如若转载,请注明出处:https://www.kdun.cn/ask/214145.html
微信扫一扫 