[TUHS] Set-uid shell scripts
Michael Kjörling
michael at kjorling.se
Mon Aug 5 02:30:00 AEST 2019
On 4 Aug 2019 11:58 -0400, from jnc at mercury.lcs.mit.edu (Noel Chiappa):
>> until someone realised that you could do:
>> ln -s /bin/scriptname ./-i
>> "-i" # assuming that "." is already in your path
>> ...and get a root shell.
>
> I'm clearly not very awake this morning, because I don't understand how this
> works. Can you break it down a little? Thanks!
I'm guessing a little here, but could it be related to poor command
line argument parsing in some shell, where "-i" forces the shell to
start in interactive mode and the shell looks for parameters
_anywhere_ in its argv[] (including argv[0]), not just at argv[1] and
later?
That would match the result described by Alec, and my modern dash's
man page does give that meaning for "-i", but it also feels like a
trivial bug to fix in the shell without prohibiting setuid scripts...
--
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
“The most dangerous thought that you can have as a creative person
is to think you know what you’re doing.” (Bret Victor)
More information about the TUHS
mailing list