From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <6d112b639dc2e59034939daf3e6d09c3@csplan9.rit.edu>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] a challenge
Date: Fri, 22 Feb 2008 12:59:28 -0500
From: john@csplan9.rit.edu
In-Reply-To: <13426df10802220953q3af4a1aarf93acaaebfedc9b@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Topicbox-Message-UUID: 5ee585dc-ead3-11e9-9d60-3106f5b1d025

> here is a challenge. I realize it's linux but I think this is the
> right group to ask anyway; I think you'll appreciate the humor in it.
> So far few I have talked to have gotten it.
>
> There is a file, called /bin/bash.
>
> You are allowed to do this as root.
> cp this file to /tmp. Do something to it to make it so that, when you
> are not root, you can run the file in /tmp and get a root shell.
>
> Don't assume the obvious. And please don't post "that's trivial" until
> you have actually done it.
>
> ron

On Debian, all you have to do is this as root:
cp /bin/bash /tmp/sh
chmod u+s /tmp/sh

Then you can run /tmp/sh as any user and get euid root. It seems that
you can ONLY do this if you rename bash to sh.


John