[TUHS] Set-uid shell scripts
Rico Pajarola
rp at servium.ch
Mon Aug 5 02:50:32 AEST 2019
when running a shell script, what's actually executed is the first line of
the script (after #!) + the name of the script.
If your script is named "-i", and in your path, just enter "-i", and
/bin/sh -i is executed which gives you an interactive shell.
There are probably half a dozen other ways to trick the shell into
executing arbitrary code that is not contained in the script (more if the
script actually does anything non-trivial, like e.g. an installer of some
sort). So instead of trying to fix them all (and most likely missing a
few), everybody just agreed that it was a terrible idea and removed the
feature.
On Sun, Aug 4, 2019 at 9:00 AM Noel Chiappa <jnc at mercury.lcs.mit.edu> wrote:
> > From: Alec Muffett
>
> > until someone realised that you could do:
> > ln -s /bin/scriptname ./-i
> > "-i" # assuming that "." is already in your path
> > ...and get a root shell.
>
> I'm clearly not very awake this morning, because I don't understand how
> this
> works. Can you break it down a little? Thanks!
>
> Noel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20190804/6a379e76/attachment.html>
More information about the TUHS
mailing list