Sidebar 2: Build a BackdoorWhat is recommended on the computers where you are “in charge” is to build a backdoor protected by a password. An executable file giving you the root privileges in case the root password is lost. The code below gives the root privileges to anybody, but asks for a password. To avoid this situation, the command strings(1) shows the password, some simple “encryption” can be implemented. Simply using the checksum of the passphrase is already good. If, for example, the passphrase is “wait & 123SEE” (without the quotes), the sum of the ascii values is 920 (the final <Enter> included; otherwise end the passphrase with ctrl-D instead of <Enter> and the total will be then 910). Although not mandatory, it is better to call it from a script:
stty -echo # doesn't display the passphrase
/usr/bin/.back
stty echo
- back.c :
#include <unistd.h>
#include <string.h>
main()
{
char b[100]; /* to read the passphrase */
int i,j=0,n;
n=read(0, b, sizeof(b)); /* read from stdin */
for (i=0; i<n; i++) /* password check : begin */
j+=b[i];
if (j!=920)
exit(1); /* password check : end, silently exit */
setuid(0);
execl("/usr/bin/sh","sh",(char*)0);
}
# cc -s -o back back.c
# chmod 4111 back
# cp back /usr/bin/.back # so I can use it as regular user
# ll back
---s--x--x 1 root sys 20645 Jan 2 15:20 back
The source can be kept elsewhere or on a local disk, simply “encrypted” using for example (if you have nothing else). It is better than plain text (beware of the .sh_history or $HISTFILE file: disable it or drop it after).
dd if=source of=source.e conv=ebcdic,swaband to decrypt:
dd if=source.e of=source conv=ascii,swabOf course, if you create such a program without any password, you implement an easy backdoor. If somebody discovers it, you have a problem. Remember, any user can type:
find / -perm -4000 -print 2>/dev/nullto locate the SUID files in the directories readable by him/her (-2000 for SGID files). |