From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=FROM_EXCESS_BASE64, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 7aa7a6dc for ; Sun, 4 Aug 2019 16:38:05 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id BA1D09BA80; Mon, 5 Aug 2019 02:38:03 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 21BF79B84E; Mon, 5 Aug 2019 02:37:46 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 74E9C9B84E; Mon, 5 Aug 2019 02:37:44 +1000 (AEST) X-Greylist: delayed 458 seconds by postgrey-1.36 at minnie.tuhs.org; Mon, 05 Aug 2019 02:37:43 AEST Received: from ste-pvt-msa1.bahnhof.se (ste-pvt-msa1.bahnhof.se [213.80.101.70]) by minnie.tuhs.org (Postfix) with ESMTPS id 9E25C948F2 for ; Mon, 5 Aug 2019 02:37:43 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by ste-pvt-msa1.bahnhof.se (Postfix) with ESMTP id 65A953F69D for ; Sun, 4 Aug 2019 18:30:03 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at bahnhof.se Received: from ste-pvt-msa1.bahnhof.se ([127.0.0.1]) by localhost (ste-pvt-msa1.bahnhof.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xrY4EpuTVbB0 for ; Sun, 4 Aug 2019 18:30:02 +0200 (CEST) Received: from h-178-80.A328.priv.bahnhof.se (h-178-80.A328.priv.bahnhof.se [98.128.178.80]) (Authenticated sender: mc179410) by ste-pvt-msa1.bahnhof.se (Postfix) with ESMTPA id 67F183F462 for ; Sun, 4 Aug 2019 18:30:02 +0200 (CEST) Received: from h-178-80.A328.priv.bahnhof.se (localhost [127.0.0.1]) by h-178-80.A328.priv.bahnhof.se (Postfix) with ESMTPS id 818252E02C1 for ; Sun, 4 Aug 2019 18:30:01 +0200 (CEST) Date: Sun, 4 Aug 2019 16:30:00 +0000 From: Michael =?utf-8?B?S2rDtnJsaW5n?= To: tuhs@tuhs.org Message-ID: <20190804163000.GB19836@h-178-80.A328.priv.bahnhof.se> References: <20190804155854.C22CA18C096@mercury.lcs.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20190804155854.C22CA18C096@mercury.lcs.mit.edu> Subject: Re: [TUHS] Set-uid shell scripts X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On 4 Aug 2019 11:58 -0400, from jnc@mercury.lcs.mit.edu (Noel Chiappa): >> until someone realised that you could do: >> ln -s /bin/scriptname ./-i >> "-i" # assuming that "." is already in your path >> ...and get a root shell. > > I'm clearly not very awake this morning, because I don't understand how this > works. Can you break it down a little? Thanks! I'm guessing a little here, but could it be related to poor command line argument parsing in some shell, where "-i" forces the shell to start in interactive mode and the shell looks for parameters _anywhere_ in its argv[] (including argv[0]), not just at argv[1] and later? That would match the result described by Alec, and my modern dash's man page does give that meaning for "-i", but it also feels like a trivial bug to fix in the shell without prohibiting setuid scripts... -- Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se “The most dangerous thought that you can have as a creative person is to think you know what you’re doing.” (Bret Victor)