Subject: Re: non-root user executes root shell?
To: None <netbsd-users@netbsd.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: netbsd-users
Date: 10/03/2004 12:50:13
--wqJr86X7F8PBspU2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi,

On Sun, Oct 03, 2004 at 10:55:22AM +0200, Sascha Retzki wrote:
> > I'm in the sudo camp on that, myself, but someone here said recently=20
> > they write a user runnable mount program in C to do that.=20
>=20
> --C code--
> #include <stdio.h>
>=20
> void main(void) {
> 	system("id");
> }
> --END C code--
> Compile it with "gcc -o executable_name sourcefilename.c".
> after that, set the executalbe suid root: "chown root.wheel m00.exe" ;
> "chmod +s m00.exe" ... .
> you can put the both commands of the script into system() calls, however=
=20
> you will not be able to fetch return codes and react via if() calls,
> at least not in C. But you get the deal.
> Btw, either use "mount_cd9660" or "mount -t cd9660" ;)
> If you ever look into writting real C programms and not some sh-script=20
> imitations, please use "int main(int argc, char *argv[])" and return some
> value at the end :))

did you realize that the program above is a straight path to a root
shell for any user who can execute it?  (exercise left for the readers)


regards,

--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --

--wqJr86X7F8PBspU2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFBX9lliwjDDlS8cmMRAprHAJ0bSG5kNFh7QcgdS72x7bQ9hN65vQCeLvSy
oy+sY3KAbpB6bizoKAaeT98=
=IQrg
-----END PGP SIGNATURE-----

--wqJr86X7F8PBspU2--