Privilege escalation writing /etc/passwd but without SUID permission on su

Question

This is not an exercise, there might be no solution.

We are producing a Docker image (based on CentOS) which is designed to be executed by a non-root user. However, this user has write access to /etc/passwd because he is in "root" group. Here are /etc/passwd permissions:

-rw-rw-r-- 1 root root 692 Dec 16 14:35 /etc/passwd

This is a critical flaw and it is supposed to allow easy privilege escalation. I can add a user into /etc/passwd.

But I cannot switch to this user, because su does not have SUID permission:

-rwxr-xr-x 1 root root 32128 Sep 30 17:46 /bin/su

As a result, the user does not have enough permissions for a successful su execution:

su: cannot set groups: Operation not permitted

As I understood, on most Linux, su command is configured with SUID permission. That means that whoever executes su, it is considered to be executed by root user. Another alternative might be to play with capabilities. I suppose that CAP_SETGID and CAP_SETUID are required and maybe some others. If su was configured with those capabilities the SUID permission might not be needed. But in our Docker image, there are no capabilities on su. So it seems that only root can execute su properly.

Also, sudo is not installed and no sshd/telnetd is running.

So how can I use the credentials added to /etc/passwd? Curl is available if that can help.

Answer 1

On a standard Linux host (VM or server) if you have access to /etc/passwd or /etc/shadow then you can modify or add credentials to accounts, which would obviously be a serious problem (there's details on the consequences of allowing a modification to /etc/passwd in this answer

In a Docker container, usually the software which makes use of these files is not installed, so no Linux PAM, no SSHD, or other software which would make use of an authentication database.

Without that type of software being installed, there's not much you can do, as there are no programs which operate on those files.

Of course, if the application running in the container makes use of /etc/passwd then modifying it could have an impact, but that'll be situational depending on what the container does.