Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...)
From: Bill Weiss (houdini@nmt.edu)Date: 04/26/02
- Previous message: Jim Nanney: "Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
- In reply to: Anibal Ambertin: "nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
- Next in thread: Florian Weimer: "Re: /lib/ld-2.2.4.so"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Apr 2002 10:51:02 -0600 From: Bill Weiss <houdini@nmt.edu> To: vuln-dev@securityfocus.com
Anibal Ambertin(aambertin@securetty.com.ar)@Thu, Apr 25, 2002 at 01:02:52PM -0300:
>
> Hi you all.
> I've been playing with a linux system that we've for research and
> gained shell access. I placed at /tmp a nobody suid shell (tcsh) with
> permissions like "4777" (remember, just research :)). Well, thing is
> when I try to execute it it says "Permission Denied", that's pretty strange
> 'cause as you can see, I do have execution access.
> I really can't see why...
> When this happened I thought in the ld-x.x.x behavior and tried it...
> well, actually it worked right, but It DID NOT SUID ME!. If someone
> has a tip or idea I'll take it :).
>
> Thank you all.
Ok, two-parter:
1)
/tmp is probably mounted noexec, possibly nosuid. Put the root shell somewhere else.
2)
As the discussion came out, that's the desired thing for ld to do. It's executing
the contents of the file, not the file itself. Since the SUID bit is on the file,
it doesn't happen.
-- Bill Weiss
- Previous message: Jim Nanney: "Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
- In reply to: Anibal Ambertin: "nobody suid shell (kind of relationship with the ld-2.2.4 thread...)"
- Next in thread: Florian Weimer: "Re: /lib/ld-2.2.4.so"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
