Subject: Re: non-root user executes root shell?
To: Lubomir Sedlacik <salo@Xtrmntr.org>
From: Ben Collver <collver@peak.org>
List: netbsd-users
Date: 10/03/2004 05:19:51
On Sun, Oct 03, 2004 at 12:50:13PM +0200, Lubomir Sedlacik wrote:
> On Sun, Oct 03, 2004 at 10:55:22AM +0200, Sascha Retzki wrote:
> > > I'm in the sudo camp on that, myself, but someone here said recently 
> > > they write a user runnable mount program in C to do that. 
> > 
> > #include <stdio.h>
> > 
> > void main(void) {
> > 	system("id");
> > }
> 
> did you realize that the program above is a straight path to a root
> shell for any user who can execute it?  (exercise left for the readers)

Thank you for your note.  I've been seeing "exercise left for the
readers" in messages lately.  Two things that come to my mind are:

1) an absolute path is not used for the id command, so the user could
run any program or symbolic link named id.

2) /usr/bin/id is dynamic linked to libc, so one could use
LD_PRELOAD and a libc wrapper to execute arbitrary code.  I am not
certain about this one.

What other straight paths exist in the above program?

Ben