/etc/shadow and suid dilemma

Question

I stumbled on a problem about accessing system files with suid executables.

I wrote this short POC:

#include <unistd.h>
#include <stdio.h>

int main()
{
    if (access("/etc/shadow", W_OK) == 0)
        printf("shadow writable!\n");
    else
        printf("shadow not writable\n");

    return 0;
}

then i compiled and gave it the suid with chown root:root and chmod u+s (ran by root)

this is the resulting executable

-rwsrwxr-x  1 root root     4847 Apr 14 08:40 a.out

the target file has these rights

-rw------- 1 root root 1836 Oct  8  2014 /etc/shadow

When I ran the program, it gave this output:

[d.berra@srvr ~]$ ./a.out
shadow not writable

Why does this happen? I mean... I'm accessing the file as root and root CAN write on this file!

Note: selinux is disabled

ideas?

Answer 1

From access:

The check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actually attempting an operation (e.g., open(2)) on the file. This allows set-user-ID programs to easily determine the invoking user's authority.

So you can successfully open this file for writing, because your effective UID and filesystem UID is now 0, but access will still return error.

As @nos noted, you forgot to change executable owner to root:

$ sudo chown root:root ./a.out

But even if you do that, you wil still get "not writable" due to access behavior:

$ ls -l ./a.out 
-rwsr-xr-x 1 root root 12651 Apr 14 09:53 ./a.out
$ ./a.out 
shadow not writable