From owner-freebsd-hackers  Mon Sep 21 02:46:15 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA07663
          for freebsd-hackers-outgoing; Mon, 21 Sep 1998 02:46:15 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07589
          for <hackers@FreeBSD.ORG>; Mon, 21 Sep 1998 02:46:09 -0700 (PDT)
          (envelope-from obrien@NUXI.com)
Received: (from obrien@localhost) by relay.nuxi.com (8.8.8/8.6.12) id CAA01682; Mon, 21 Sep 1998 02:45:37 -0700 (PDT)
Message-ID: <19980921024537.A1493@nuxi.com>
Date: Mon, 21 Sep 1998 02:45:37 -0700
From: "David O'Brien" <obrien@NUXI.com>
To: Jake Hamby <jehamby@lightside.com>, hackers@FreeBSD.ORG
Subject: Re: disallow setuid root shells?
Reply-To: obrien@NUXI.com
References: <199702240549.VAA01306@lightside.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199702240549.VAA01306@lightside.com>; from Jake Hamby on Sun, Feb 23, 1997 at 09:49:08PM -0800
X-Operating-System: FreeBSD 2.2.7-STABLE
Organization: The NUXI BSD group
X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3  90 76 5D 69 58 D9 98 7A
X-Pgp-Keyid: 34F9F9D5
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> access.  Under Solaris, I've discovered that none of the standard shells 
> will allow a user to gain root privileges through a setuid root shell!
> The sh and ksh shells will run, but the user will have their normal 

You didn't try very hard:

    sol26:> ll
    total 856
    -r-sr-xr-x   1 root     bin       158372 Jul 15  1997 csh*
    -r-sr-xr-x   1 root     bin       186356 Jul 15  1997 ksh*
    -r-sr-xr-x   1 root     root       88620 Jul 15  1997 sh*

    sol26:> ./ksh
    # id
    uid=1765(obrien) gid=10(staff) euid=0(root)
    # exit
    sol26:> ./sh
    $ id
    uid=1765(obrien) gid=10(staff)
    $ exit
    sol26:> muztag:/tmp/.z> ./sh -p
    # id
    uid=1765(obrien) gid=10(staff) euid=0(root)
    # exit

/bin/ksh is pretty standard on sysV-based systems.
For sh RTFM.

     -p        If the -p flag is present, the shell will not  set
               the  effective user and group IDs to the real user
               and group IDs.


-- 
-- David    (obrien@NUXI.ucdavis.edu  -or-  obrien@FreeBSD.org)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message