Subject: Re: non-root user executes root shell?
To: Ben Collver <collver@peak.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: netbsd-users
Date: 10/03/2004 14:36:14
--JB7KW7Ey7eB5HOHs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi,

On Sun, Oct 03, 2004 at 05:19:51AM -0700, Ben Collver wrote:
> On Sun, Oct 03, 2004 at 12:50:13PM +0200, Lubomir Sedlacik wrote:
> > On Sun, Oct 03, 2004 at 10:55:22AM +0200, Sascha Retzki wrote:
> > > > I'm in the sudo camp on that, myself, but someone here said
> > > > recently they write a user runnable mount program in C to do
> > > > that.=20
> > >=20
> > > #include <stdio.h>
> > >=20
> > > void main(void) {
> > > 	system("id");
> > > }
> >=20
> > did you realize that the program above is a straight path to a root
> > shell for any user who can execute it?  (exercise left for the
> > readers)
>=20
> Thank you for your note.  I've been seeing "exercise left for the
> readers" in messages lately.  Two things that come to my mind are:
>=20
> 1) an absolute path is not used for the id command, so the user could
> run any program or symbolic link named id.

1 point ;)
=20
> 2) /usr/bin/id is dynamic linked to libc, so one could use
> LD_PRELOAD and a libc wrapper to execute arbitrary code.  I am not
> certain about this one.

LD_PRELOAD is disabled for suid binaries.

> What other straight paths exist in the above program?

for a single line program one is more than enough, i guess.


regards,

--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --

--JB7KW7Ey7eB5HOHs
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFBX/I+iwjDDlS8cmMRAsjEAJ9g1bvsm+DQ09tpHUmH8KAAsh0KCwCaA0ra
uUXam8LeOY+wiWoDiPvzfiI=
=cLjX
-----END PGP SIGNATURE-----

--JB7KW7Ey7eB5HOHs--