* [9fans] a challenge
@ 2008-02-22 17:53 ron minnich
2008-02-22 17:57 ` Pietro Gagliardi
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: ron minnich @ 2008-02-22 17:53 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
here is a challenge. I realize it's linux but I think this is the
right group to ask anyway; I think you'll appreciate the humor in it.
So far few I have talked to have gotten it.
There is a file, called /bin/bash.
You are allowed to do this as root.
cp this file to /tmp. Do something to it to make it so that, when you
are not root, you can run the file in /tmp and get a root shell.
Don't assume the obvious. And please don't post "that's trivial" until
you have actually done it.
ron
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9fans] a challenge
2008-02-22 17:53 [9fans] a challenge ron minnich
@ 2008-02-22 17:57 ` Pietro Gagliardi
2008-02-22 18:03 ` Pietro Gagliardi
2008-02-22 17:59 ` john
2008-02-22 18:23 ` andrey mirtchovski
2 siblings, 1 reply; 8+ messages in thread
From: Pietro Gagliardi @ 2008-02-22 17:57 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
I don't have Linux, but I'll see if Mac OS X has that vulnerability.
On Feb 22, 2008, at 12:53 PM, ron minnich wrote:
> here is a challenge. I realize it's linux but I think this is the
> right group to ask anyway; I think you'll appreciate the humor in it.
> So far few I have talked to have gotten it.
>
> There is a file, called /bin/bash.
>
> You are allowed to do this as root.
> cp this file to /tmp. Do something to it to make it so that, when you
> are not root, you can run the file in /tmp and get a root shell.
>
> Don't assume the obvious. And please don't post "that's trivial" until
> you have actually done it.
>
> ron
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9fans] a challenge
2008-02-22 17:53 [9fans] a challenge ron minnich
2008-02-22 17:57 ` Pietro Gagliardi
@ 2008-02-22 17:59 ` john
2008-02-22 18:23 ` andrey mirtchovski
2 siblings, 0 replies; 8+ messages in thread
From: john @ 2008-02-22 17:59 UTC (permalink / raw)
To: 9fans
> here is a challenge. I realize it's linux but I think this is the
> right group to ask anyway; I think you'll appreciate the humor in it.
> So far few I have talked to have gotten it.
>
> There is a file, called /bin/bash.
>
> You are allowed to do this as root.
> cp this file to /tmp. Do something to it to make it so that, when you
> are not root, you can run the file in /tmp and get a root shell.
>
> Don't assume the obvious. And please don't post "that's trivial" until
> you have actually done it.
>
> ron
On Debian, all you have to do is this as root:
cp /bin/bash /tmp/sh
chmod u+s /tmp/sh
Then you can run /tmp/sh as any user and get euid root. It seems that
you can ONLY do this if you rename bash to sh.
John
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9fans] a challenge
2008-02-22 17:57 ` Pietro Gagliardi
@ 2008-02-22 18:03 ` Pietro Gagliardi
0 siblings, 0 replies; 8+ messages in thread
From: Pietro Gagliardi @ 2008-02-22 18:03 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
Nope.
On Feb 22, 2008, at 12:57 PM, Pietro Gagliardi wrote:
> I don't have Linux, but I'll see if Mac OS X has that vulnerability.
>
> On Feb 22, 2008, at 12:53 PM, ron minnich wrote:
>
>> here is a challenge. I realize it's linux but I think this is the
>> right group to ask anyway; I think you'll appreciate the humor in it.
>> So far few I have talked to have gotten it.
>>
>> There is a file, called /bin/bash.
>>
>> You are allowed to do this as root.
>> cp this file to /tmp. Do something to it to make it so that, when you
>> are not root, you can run the file in /tmp and get a root shell.
>>
>> Don't assume the obvious. And please don't post "that's trivial"
>> until
>> you have actually done it.
>>
>> ron
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9fans] a challenge
2008-02-22 17:53 [9fans] a challenge ron minnich
2008-02-22 17:57 ` Pietro Gagliardi
2008-02-22 17:59 ` john
@ 2008-02-22 18:23 ` andrey mirtchovski
2008-02-22 18:33 ` ron minnich
2 siblings, 1 reply; 8+ messages in thread
From: andrey mirtchovski @ 2008-02-22 18:23 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
well, i checked the source. turns out bash 3.2 drops privileges if uid
!= euid and requires the -p flag to allow itself to run in setuid
mode:
$ cp /bin/bash .
$ sudo chown root bash
$ sudo chmod 4755 bash
$ ./bash -p
# id
uid=500(andrey) gid=500(andrey) euid=0(root) groups=500(andrey)
# whoami
root
#
that doesn't make me like Plan 9 any less, you know :)
On Fri, Feb 22, 2008 at 10:53 AM, ron minnich <rminnich@gmail.com> wrote:
> here is a challenge. I realize it's linux but I think this is the
> right group to ask anyway; I think you'll appreciate the humor in it.
> So far few I have talked to have gotten it.
>
> There is a file, called /bin/bash.
>
> You are allowed to do this as root.
> cp this file to /tmp. Do something to it to make it so that, when you
> are not root, you can run the file in /tmp and get a root shell.
>
> Don't assume the obvious. And please don't post "that's trivial" until
> you have actually done it.
>
> ron
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9fans] a challenge
2008-02-22 18:23 ` andrey mirtchovski
@ 2008-02-22 18:33 ` ron minnich
2008-02-22 18:57 ` lucio
2008-02-22 20:02 ` Charles Forsyth
0 siblings, 2 replies; 8+ messages in thread
From: ron minnich @ 2008-02-22 18:33 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
On Fri, Feb 22, 2008 at 10:23 AM, andrey mirtchovski
<mirtchovski@gmail.com> wrote:
> well, i checked the source. turns out bash 3.2 drops privileges if uid
> != euid and requires the -p flag to allow itself to run in setuid
> mode:
I saw something even more bizarre last night on busy box: it looked
like some library and/or bash was looking for a file called
/etc/sudo_test or some such.
It's just amazing the kind of stuff that the gnu guys are wrapping
around the kernel to try and bail the boat out.
ron
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9fans] a challenge
2008-02-22 18:33 ` ron minnich
@ 2008-02-22 18:57 ` lucio
2008-02-22 20:02 ` Charles Forsyth
1 sibling, 0 replies; 8+ messages in thread
From: lucio @ 2008-02-22 18:57 UTC (permalink / raw)
To: 9fans
> It's just amazing the kind of stuff that the gnu guys are wrapping
> around the kernel to try and bail the boat out.
I guess when you're sinking you do whatever it takes. Imagine what
it's like for Microsoft...
++L
PS: MS-DOS didn't have all this trouble, I sometimes wonder if all
this additional security isn't exactly the opposite of what's needed.
I feel the same about cars with electronics and air bags, which is
hardly surprising because there are incredible parallels between the
car industry and the computer industry. But the issue of security is
terribly ambiguous.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9fans] a challenge
2008-02-22 18:33 ` ron minnich
2008-02-22 18:57 ` lucio
@ 2008-02-22 20:02 ` Charles Forsyth
1 sibling, 0 replies; 8+ messages in thread
From: Charles Forsyth @ 2008-02-22 20:02 UTC (permalink / raw)
To: 9fans
> I saw something even more bizarre last night on busy box: it looked
the punctuation is wrong there, i think:
> I saw something even more bizarre last night: busy box
and you could just stop there
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2008-02-22 20:02 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-22 17:53 [9fans] a challenge ron minnich
2008-02-22 17:57 ` Pietro Gagliardi
2008-02-22 18:03 ` Pietro Gagliardi
2008-02-22 17:59 ` john
2008-02-22 18:23 ` andrey mirtchovski
2008-02-22 18:33 ` ron minnich
2008-02-22 18:57 ` lucio
2008-02-22 20:02 ` Charles Forsyth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).