[TUHS] Set-uid shell scripts

Rico Pajarola rp at servium.ch
Mon Aug 5 02:50:32 AEST 2019

when running a shell script, what's actually executed is the first line of
the script (after #!) + the name of the script.

If your script is named "-i", and in your path, just enter "-i", and
/bin/sh -i is executed which gives you an interactive shell.

There are probably half a dozen other ways to trick the shell into
executing arbitrary code that is not contained in the script (more if the
script actually does anything non-trivial, like e.g. an installer of some
sort). So instead of trying to fix them all (and most likely missing a
few), everybody just agreed that it was a terrible idea and removed the

On Sun, Aug 4, 2019 at 9:00 AM Noel Chiappa <jnc at mercury.lcs.mit.edu> wrote:

>     > From: Alec Muffett
>     > until someone realised that you could do:
>     >  ln -s /bin/scriptname ./-i
>     >  "-i" # assuming that "." is already in your path
>     > ...and get a root shell.
> I'm clearly not very awake this morning, because I don't understand how
> this
> works. Can you break it down a little? Thanks!
>        Noel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20190804/6a379e76/attachment.html>

More information about the TUHS mailing list