From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 6dfb3794 for ; Sun, 4 Aug 2019 16:51:07 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 730DF9BAD8; Mon, 5 Aug 2019 02:51:06 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id B7CEF9B84E; Mon, 5 Aug 2019 02:50:46 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=pass (1024-bit key; unprotected) header.d=servium.ch header.i=@servium.ch header.b="oMwsTPDP"; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id 4FAC59B84E; Mon, 5 Aug 2019 02:50:45 +1000 (AEST) Received: from mail-ua1-f46.google.com (mail-ua1-f46.google.com [209.85.222.46]) by minnie.tuhs.org (Postfix) with ESMTPS id 69C11948F2 for ; Mon, 5 Aug 2019 02:50:44 +1000 (AEST) Received: by mail-ua1-f46.google.com with SMTP id j21so31454741uap.2 for ; Sun, 04 Aug 2019 09:50:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=servium.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=88pJb24k5MUhOCC4MSHekdAaD0FTMHbUa6US7E7SoHo=; b=oMwsTPDP731Zkdu5JRuwWF7PxLgaWCCysqn1m0eqCo+4uEw7fhyQVETdWgIs0oJSLf 0S0jyjZUrsXeewtUPU8UJe/JFkoERj7ASWAO3Shq/0fMZPHxvYH09o8MS+Ot5QnZdX2k s0DKBC74XazC0GyfYjf8a31LMHsbaIRO3FRf4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=88pJb24k5MUhOCC4MSHekdAaD0FTMHbUa6US7E7SoHo=; b=Urg4mSyjL0UnKQ7Ny/s6udb+bwrNikkSMI9Z/rgb1LX79SrZSYpiQfsTVCPym8aUUI J3j5cKFtoWyw3vRlqoXXv+oOr5snm7RagRhEJf1oDjWgwxWtyEadqrVVLpZvgYMB27bR G2Jo7UjzRcRyMTou5JssGA51qxzyAyyTq4dRiceE+bNpTDlB4OJJKhtoSqOu3tz9B95l 9vNNYlHMSH4brl6nvVWGeFqYipHu9qJorNCHWqhsAyzUAo3ueOpVPb1hzgltvddjllkw POYOhtmdKzhSF+LiH5i3yPPhLq8C11cmJDZxq/obMwm7X0opsjOEVb034XLZU6mnLdPf sq0g== X-Gm-Message-State: APjAAAXzrd1zsaVumZ4CUW7ZID5wrojsJu3wZOt+rW1pDijQU87XsQCD G5tOLYtzFGyrk4EPxnsexnjxh2bEc6AXdFBJp96MfqKy X-Google-Smtp-Source: APXvYqw0y7iR6douXE5APXjURr5pNsJkAiv21sZqLBqwMPcyDNwr0jEat4dXFqPG4aJ+tlN5AS/sZ886Qet6iYVS8n8= X-Received: by 2002:ab0:5928:: with SMTP id n37mr71006462uad.24.1564937442813; Sun, 04 Aug 2019 09:50:42 -0700 (PDT) MIME-Version: 1.0 References: <20190804155854.C22CA18C096@mercury.lcs.mit.edu> In-Reply-To: <20190804155854.C22CA18C096@mercury.lcs.mit.edu> From: Rico Pajarola Date: Sun, 4 Aug 2019 09:50:32 -0700 Message-ID: To: Noel Chiappa Content-Type: multipart/alternative; boundary="00000000000060017d058f4d6423" Subject: Re: [TUHS] Set-uid shell scripts X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: The Eunuchs Hysterical Society Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --00000000000060017d058f4d6423 Content-Type: text/plain; charset="UTF-8" when running a shell script, what's actually executed is the first line of the script (after #!) + the name of the script. If your script is named "-i", and in your path, just enter "-i", and /bin/sh -i is executed which gives you an interactive shell. There are probably half a dozen other ways to trick the shell into executing arbitrary code that is not contained in the script (more if the script actually does anything non-trivial, like e.g. an installer of some sort). So instead of trying to fix them all (and most likely missing a few), everybody just agreed that it was a terrible idea and removed the feature. On Sun, Aug 4, 2019 at 9:00 AM Noel Chiappa wrote: > > From: Alec Muffett > > > until someone realised that you could do: > > ln -s /bin/scriptname ./-i > > "-i" # assuming that "." is already in your path > > ...and get a root shell. > > I'm clearly not very awake this morning, because I don't understand how > this > works. Can you break it down a little? Thanks! > > Noel > > --00000000000060017d058f4d6423 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
when running a shell script, what's actually executed = is the first line of the script (after #!) + the name of the script.
If your script is named "-i", and in your path, just= enter "-i", and /bin/sh -i is executed which gives you an intera= ctive shell.

There are probably half a dozen other= ways to trick the shell into executing arbitrary code that is not containe= d in the script (more if the script actually does anything non-trivial, lik= e e.g. an installer of some sort). So instead of trying to fix them all (an= d most likely missing a few), everybody just agreed that it was a terrible = idea and removed the feature.


On Sun, Aug 4, 2019 at 9:= 00 AM Noel Chiappa <jnc@mercu= ry.lcs.mit.edu> wrote:
=C2=A0 =C2=A0 > From: Alec Muffett

=C2=A0 =C2=A0 > until someone realised that you could do:
=C2=A0 =C2=A0 >=C2=A0 ln -s /bin/scriptname ./-i
=C2=A0 =C2=A0 >=C2=A0 "-i" # assuming that "." is al= ready in your path
=C2=A0 =C2=A0 > ...and get a root shell.

I'm clearly not very awake this morning, because I don't understand= how this
works. Can you break it down a little? Thanks!

=C2=A0 =C2=A0 =C2=A0 =C2=A0Noel

--00000000000060017d058f4d6423--