标题: [Solaris]MDB修改指定进程的cr_uid
http://scz.617.cn/unix/201509080928.txt
普通用户scz尝试打开/etc/shadow:
$ echo $$ 25182 $ id uid=1000(scz) gid=1(other) $ vi /etc/shadow
vi进程启动,但报错:
"/etc/shadow" Permission denied
在mdb里修改vi进程的cr_uid(即EUID):
::pgrep vi S PID PPID PGID SID UID FLAGS ADDR NAME R 19011 25182 19011 25182 1000 0x4a004000 00000300029a5380 vi 0t25182 ::pid2proc | ::print -at proc_t p_cred 300029a1840 struct cred *p_cred = 0x3000874fd30 0t19011 ::pid2proc | ::print -at proc_t p_cred 300029a53a0 struct cred *p_cred = 0x3000874fd30 00000300029a5380 ::print -at proc_t p_cred->cr_uid 3000874fd34 uid_t p_cred->cr_uid = 0x3e8 ::sizeof uid_t sizeof (uid_t) = 4 3000874fd34 /X 0x3000874fd34: 3e8 3000874fd34 /U 0x3000874fd34: 1000 ! grep :1000: /etc/passwd scz❌1000:1:scz:/export/home/scz:/usr/bin/bash ! getent passwd 1000 scz❌1000:1:scz:/export/home/scz:/usr/bin/bash 3000874fd34 /W 0 mdb: failed to write 0 at address 0x3000874fd34: target is not open for writing $W 3000874fd34 /W 0 0x3000874fd34: 0x3e8 = 0x0
现在可以在vi里执行:
:rew
或
:r /etc/shadow
注意,父子进程共用p_cred,修改vi进程的cr_uid,实际会导致bash的EUID为0:
uid=1000(scz) gid=1(other) euid=0(root)