如何查找多次sudo/su之后的那个原始用户?


因为功能需要,所以要解决这么样的一个问题,刚开始时以为有PID/PPID/SID再加上一个时间戳……这些内容应该差不多就可以确定原始用户了,但后来才知道我错了o(╯□╰)o 对Bash的一些概念理解得还是不够清楚啊,不过经过网上的一番搜索,还是找出了不少内容的,需要慢慢消化一下:

确定搜索关键字:

http://search.aol.com/aol/search?q=Linux+find+su+from

参考链接:

http://stackoverflow.com/questions/4598001/how-do-you-find-the-original-user-through-multiple-sudo-and-su-commands

解决方法:

Use who am i | awk ‘{print $1}’ OR logname as no other methods are guaranteed.

使用命令:

who am i

logname

可以得到正确的原始用户名。


但是如何通过C语言编程得到原始/正确的用户名呢?(即,通过程序实现类似于“who am i”和“logname”命令的功能)

思路/方法:

查看who命令或logname命令的源码。

查看logname命令的manual可以得知属于coreutils库,因此,下载源代码,一点一点来:

logname_manual

解压之后找到logname的源码位置及其代码核心内容:

# pwd
/root/downLoads/coreutils-8.23
# find -iname "*logname*"
./src/logname.c
./man/logname.x
int main (int argc, char **argv) {
	char *cp;

	/* POSIX requires using getlogin (or equivalent code).  */
	cp = getlogin ();
	if (cp) {
		puts (cp);
		exit (EXIT_SUCCESS);
	}
	/* POSIX prohibits using a fallback technique.  */
	error (0, 0, _("no login name"));
	exit (EXIT_FAILURE);
}

最最重要的就是里面的getlogin()函数。

因此,查找关键字:

http://search.aol.com/aol/search?q=linux+getlogin

参考链接:

在编译过程中碰到的一些问题及相应解决办法:

在使用gcc/g++编译的时候报错“fatal error: config.h: No such file or directory”
参考链接:
解决方法:

使用gcc的-I选项指定自己的库文件搜索路径;还有个类似的-L选项

更多参考:
logname命令和getlogin()函数存在的一些问题与局限性

getlogin() and logname (which just calls getlogin()) obtain the logged-in username by looking up the current tty in utmp and reporting the login name found in that utmp record. The reason they do that is that they are designed to work on systems where multiple usernames might map to the same uid (a practice generally frowned upon but sometimes used to create multiple root accounts or different login names that start custom shells but all map to the same underlying uid). When used with such accounts, getpwuid(getuid()) will only report the first match from the passwd database, whereas getlogin() will find the one that was actually used to log in.

However, because this function relies on the contents of a writable file, it is not worthy of the same level of trust as getpwuid(getuid()). It’s true that only privileged processes should be able to write utmp, but there are a few “extra” programs that are often configured to be able to write it (generally by being setgid-utmp) like GNU screen and you might not want to trust those. I know that historically on some SysV systems I used to manage, utmp was prone to get corrupted occasionally.

简而言之就是:

getlogin()函数 和 logname命令 依据的是 /var/run/utmp 这个文件的内容,而这个文件对于一些特权用户来说是可写的,所以并不值得被信任。而且getlogin()这个函数还有个本地提权的漏洞:CVE-2003-0388,连exp都存在好久了。


《 “如何查找多次sudo/su之后的那个原始用户?” 》 有 5 条评论

  1. How to update sudo version on Linux
    https://www.xmodulo.com/update-sudo-version-linux.html
    `
    # How to Check if Your sudo Has Vulnerability (CVE-2021-3156)
    1. Method One: Check sudo Version
    $ sudo –version

    2. Method Two: Test the Vulnerability of CVE-2021-3156 from the Command Line:
    $ sudoedit -s /

    If your sudo is vulnerable, it will display an error message that says “sudoedit: /: not a regular file”
    If your sudo is already patched, it will show a usage message starting with usage:

    # Update sudo Version on Supported Linux Distros

    ## Update sudo on Ubuntu, Debian or Linux Mint:
    $ sudo apt update; apt changelog sudo | grep CVE-2021-3156
    $ sudo apt update; sudo apt –only-upgrade install sudo

    ## Update sudo on Fedora or CentOS:
    $ repoquery –changelog sudo | grep CVE-2021-3156
    $ sudo dnf update sudo

    ## Update sudo Version on Unsupported Linux Distros

    $ sudo apt install make gcc
    $ sudo dnf install make gcc

    $ wget https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz
    $ tar -xf sudo-1.9.5p2.tar.gz
    $ cd sudo-1.9.5p2
    $ ./configure –prefix=/usr
    $ make
    $ sudo make install
    `

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注