Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...)

From: Bill Weiss (houdiniat_private)
Date: Fri Apr 26 2002 - 09:51:02 PDT

Next message: John Madden: "Re: ecartis / listar PoC"

Previous message: Jim Nanney: "Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
In reply to: Anibal Ambertin: "nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
Next in thread: Florian Weimer: "Re: /lib/ld-2.2.4.so"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anibal Ambertin(aambertinat_private)@Thu, Apr 25, 2002 at 01:02:52PM -0300:
> 
>     Hi you all.
>     I've been playing with a linux system that we've for research and
> gained shell access. I placed at /tmp a nobody suid shell (tcsh) with
> permissions like "4777" (remember, just research :)). Well, thing is
> when I try to execute it it says "Permission Denied", that's pretty strange
> 'cause as you can see, I do have execution access.
>     I really can't see why...
>     When this happened I thought in the ld-x.x.x behavior and tried it...
> well, actually it worked right, but It DID NOT SUID ME!. If someone
> has a tip or idea I'll take it :).
> 
> Thank you all.

Ok, two-parter:

1)
	/tmp is probably mounted noexec, possibly nosuid.  Put the root shell somewhere else.
2)
	As the discussion came out, that's the desired thing for ld to do.  It's executing
	the contents of the file, not the file itself.  Since the SUID bit is on the file,
	it doesn't happen.

-- 
Bill Weiss

Next message: John Madden: "Re: ecartis / listar PoC"
Previous message: Jim Nanney: "Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
In reply to: Anibal Ambertin: "nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
Next in thread: Florian Weimer: "Re: /lib/ld-2.2.4.so"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 12:04:36 PDT