Re: SUID shells...aaarrgghh

To: joost witteveen <joost@rulcmc.leidenuniv.nl>
Cc: Joey Hess <joey@kite.ml.org>, garry@menzies.su.edu.au, Debian User Mailing List <debian-user@lists.debian.org>
Subject: Re: SUID shells...aaarrgghh
From: Brandon Mitchell <bhmit1@mail.wm.edu>
Date: Wed, 15 Oct 1997 09:08:18 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.3.96.971015090157.283A-100000@cnhobbes.ml.org>
Reply-to: bhmit1@mail.wm.edu
In-reply-to: <[🔎] m0xLQM9-000CP6C@rulcmc.leidenuniv.nl>

I wasn't going to send this trick to the list, but since there is a
demand:

    int
    main() {
        setuid(0);
        seteuid(0);
        execl("/bin/sh", "-sh", 0);
    }

put this in filename.c, compile with gcc -o filename filename.c, set up
with chmod u+s filename, and run with ./filename.  Much smaller than a
copy of bash too:
-rwsr-xr-x   1 root     root         4125 Oct 15 09:03 evil
-rw-r--r--   1 root     root          103 Oct 15 09:03 evil.c
-rwxr-xr-x   1 root     root       325548 Aug 15 12:56 /bin/bash

If you are trying to do this for convienence, don't, unless you know the
risk and way's of securing this from other users.  There are better ways
(su, sudo, etc).

HTH,
Brandon

On Wed, 15 Oct 1997, joost witteveen wrote:

> > > so, logging into console as root
> > > 
> > > $ cp /bin/bash /bin/somefile
> > > 
> > > $ ls -l /bin/somefile
> > > - -rwxr-x--- 1 root root 318612 Oct 14 22:44 /bin/somefile
> > > 
> > > $ chmod a+xs /bin/somefile
> > > - -rwsr-s--x 1 root root 318612 Oct 14 22:44 /bin/somefile
> 
> > You're just running into some simple protection that is designed to trip up
> > said pimply-faced crackers: bash gives up any suid permissions when it
> > starts up.
> 
> 
> Note that this behaviour is new in bash-2.0 (1.4 didn't do it).
> I find it annoying, though. I don't really see the great advantage
> of this (its _very_ easy to get around for hackers), and it makes it
> more difficult for me to become UID 7483 (no such user exists on my
> system, but say it does on a friendly nfs server). 
> I used to be able to just do 
>   cp /bin/bash /tmp; chown 7483 /tmp/bash; chmod u+s /tmp/bash;/tmp/bash
> but now I have to use a different shell (and then type bash, cause I cannot
> use the other shell). Does anyone know of an easier way to become
> UID=7483?
> 
> > If you try the same thing with some other shell that doesn't have this
> > protection, it will probably work as you would expect.

-----
Brandon Mitchell <bhmit1@mail.wm.edu>   "We all know linux is great... it
PGP: finger -l bhmit1@cs.wm.edu          does infinite loops in 5 seconds"
Phone: (757) 221-4847                      --Linus Trovalds


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: SUID shells...aaarrgghh
  - From: joost@rulcmc.leidenuniv.nl (joost witteveen)

Prev by Date: Re: dpkg-scanpackages
Next by Date: Re: Changing mouse drivers
Previous by thread: Re: SUID shells...aaarrgghh
Next by thread: Sound problem
Index(es):
- Date
- Thread