SUID /bin/bash and subshells not running as root
258 views
Skip to first unread message
xxxxx
Nov 28, 2020, 2:14:19 PM11/28/20
to pwn-college-users
I don't understand this situation:
ctf@babysuid_instance_7:/$ ls -alh /bin/bash
-rwsr-xr-x 1 root root 1.1M Jun 6 2019 /bin/bash
ctf@babysuid_instance_7:/$ /bin/bash -c 'id'
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
Shouldn't `bash` be running with EUID 0?
-rwsr-xr-x 1 root root 1.1M Jun 6 2019 /bin/bash
ctf@babysuid_instance_7:/$ /bin/bash -c 'id'
uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
Shouldn't `bash` be running with EUID 0?
Another question I have pertains to subshells.
If I set `/bin/less` to have SUID. And the read some large file with it (e.g. /etc/passwd) I can activate a shell using the command `:!sh`. This shell, however, is not running as root as I would expect. It is UID 1000(ctf). My hypothesis here is that `less` is starting a subshell and this subshell does not carry over the EUID. Is this the case?
Connor Nelson
Nov 28, 2020, 3:27:35 PM11/28/20
to xxxxx, pwn-college-users
Hello,
Bash will drop it's permissions if it detects it is running setuid. See https://github.com/bminor/bash/blob/master/shell.c#L500. This is a security mitigation.
Fortunately, there is a flag which will prevent bash from doing this. See https://github.com/bminor/bash/blob/master/CHANGES#L1723
Good luck!
--
You received this message because you are subscribed to the Google Groups "pwn-college-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwn-college-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwn-college-users/22abda38-0ce5-4b2f-8a9f-22f40c85f11fn%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages