Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

UNIX sockets: Is it possible to spoof getsockopt() SO_PEERCRED?

Tags:

c

security

unix

sockets

unix-socket

Is there a (compatible) way to spoof (as root) the unix socket (file system sockets) peer credentials which can be obtained by getsockopt(), option SO_PEERCRED?

Background:
I need to connect to a server application (which I cannot modify) which checks the UID of the process which connects to it via SO_PEERCRED. I'd like to spoof the information in order to be able to connect to the application as root, too.

UPDATE

To clarify the question:
I'm searching for a non-invasive way that the server sees a specific peer UID/GID. Solutions are discouraged which need to alter the kernel (or take the use of kernel modules) or which changes the server process or its loading/linking process in any way (LD_PRELOAD, system call interceptions etc.).

Basically, the solution should work when running on any linux (or unix in general) server without any special requirements. The server process might already be running.

like image 468
MRalwasser Avatar asked Apr 12 '13 14:04

MRalwasser

1 Answers

You're on the right lines. A root process has the privileges to spoof things like this, the problem is just that SO_PEERCRED provides no mechanism or API for a process to specify what identity should be to presented to the peer.

Two things you can do:

  1. Temporarily drop root (setreuid(desired,-1)) when you make the connect call. A unix-domain connection is stamped with the credentials of the peer at the time the process called connect (and listen going the other way). SO_PEERCRED does not tell you the credentials of the peer at the current moment. Then you can resume root.

  2. Better, use another API. The message-passing API lets a process pick what identify to present to a peer. Call sendmsg with a struct cmsg that contains the credentials you want to send. The kernel will ignore the credentials specified by an unprivileged user and always make sure the other side sees the actual identity, but a privileged process can pretend to be anyone else. This is a better match for your needs, because dropping and regaining root is a perilous activity and in this case unnecessary. Google for "SCM_CREDENTIALS" (or "man -K" for it on your system) to get code samples.

like image 186
Nicholas Wilson Avatar answered Oct 05 '22 07:10

Nicholas Wilson
Sign in to Comment

Related questions

Program terminates early with valgrind memcheck
Code only works if all variables are set to 0 first. UB?
Reducing stack usage during recursion with GCC + ARM
ncurses basic example - in debug i get: "Error opening terminal: unknown."
convert very big int (written as string) to binary string in c/c++
Use ASL to log to console.app
random numbers and multiple srand calls
USART communication with a STM32f1xx
Higher-order functions in C as a syntactic sugar with minimal effort
changing thread priority and scheduler in linux
Guaranteeing mutex safety with async signals
Gettext without a filesystem
First Steps in Learning C++ [duplicate]
Is a compiler allowed to remove assignments to struct member if it is not obviously used?
Distinguish between string and byte array?
(Windows) Open the same file simultaneously
Segmentation Fault, no core dump [duplicate]
Implementing traceroute using icmp in C
I am not able run C program in eclipse
How can I ensure that a memory-mapped file keeps the memory pages accessible?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!