Date: Mon, 21 Sep 1998 02:45:37 -0700 From: "David O'Brien" <obrien@NUXI.com> To: Jake Hamby <jehamby@lightside.com>, hackers@FreeBSD.ORG Subject: Re: disallow setuid root shells? Message-ID: <19980921024537.A1493@nuxi.com> In-Reply-To: <199702240549.VAA01306@lightside.com>; from Jake Hamby on Sun, Feb 23, 1997 at 09:49:08PM -0800 References: <199702240549.VAA01306@lightside.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> access. Under Solaris, I've discovered that none of the standard shells
> will allow a user to gain root privileges through a setuid root shell!
> The sh and ksh shells will run, but the user will have their normal
You didn't try very hard:
sol26:> ll
total 856
-r-sr-xr-x 1 root bin 158372 Jul 15 1997 csh*
-r-sr-xr-x 1 root bin 186356 Jul 15 1997 ksh*
-r-sr-xr-x 1 root root 88620 Jul 15 1997 sh*
sol26:> ./ksh
# id
uid=1765(obrien) gid=10(staff) euid=0(root)
# exit
sol26:> ./sh
$ id
uid=1765(obrien) gid=10(staff)
$ exit
sol26:> muztag:/tmp/.z> ./sh -p
# id
uid=1765(obrien) gid=10(staff) euid=0(root)
# exit
/bin/ksh is pretty standard on sysV-based systems.
For sh RTFM.
-p If the -p flag is present, the shell will not set
the effective user and group IDs to the real user
and group IDs.
--
-- David (obrien@NUXI.ucdavis.edu -or- obrien@FreeBSD.org)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980921024537.A1493>