Questions regarding invoking bash
 

Hi guys, I have a few questions regarding invoking bash. Hope that you can help me out.

1. I logged in as root, copied /bin/bash to the home directory of one of my normal users, say 'glen', and changed the permission of this bash copy to '4755'.(I know this is not wise, and I was doing this just for testing purpose.) Then, I switched to my 'glen' account, and ran this bash copy in my home directory, so I thought that I would invoke a bash under root privilege with a pound sign as prompt; however, the new prompt I got was 'bash-4.3$' and no root privilege at all (I tested it by accessing some restricted files). In contrast, If I copied '/bin/sh' instead of '/bin/bash', and repeated what I did, then I would indeed run the sh shell under root privilege with the prompt appearing as '#'. WHY?

2. I created a shell script named 'ls', edited it content as following:
, and changed the permission of this file from '664'(default value) to '775'. After that, I added my working directory at the beginning of $PATH and exported $PATH. What happened next was that from that point on, whenever I called '/bin/bash' or 'ls'(which is the equivalent to call '/bin/bash'), the terminal would get stuck as in it would output a blank line and nothing else, returning no prompt or whatsoever. However, if I had named the shell script otherwise, such as 'testing' or 'pwd', this problem would not occur. WHY?

^ it probably gets stuck in a loop or something.

the real question here is:

why on earth would you want to do something like that?

it's like deliberately scratching my hard disk, then starting forum threads inquiring why my hard disk isn't working anymore (exact sector numbers please).

Thanks for replying. To answer your question why I am doing this is because I am learning some basics about security, and am instructed to exploit the security flaw in this program:
If it was, as you said, stuck in an infinite loop, what loop would that be?

1. Please add the distro (& version) you are using to your profiler, as this can help us to help you :)

2. I can reproduce the first thing : chmod 4755 (local version of) bash. The reason you don't get a root prompt is because you did that as glen, not as root.
Contrary to urban legend, the suid bit makes a program run as the file 'owner', not root, unless root owns it already. :)

3. the 'sh' one is odd. On my Centos 6.7 sh is just a symlink to bash anyway, but even for the real sh (posix shell), you shouldn't get a root prompt unless the ownership was root; please do an 'ls -l' and check that.

3. I don't get any probs with the 'ls' script; it just creates another shell level.
Try checking
during these experiments.

Also, make sure you clean up between each experiment, or it will become impossible to debug ;)

HTH

I'd say something in one of the many profiles and bashrc files that are executed when a shell starts up calls ls, which runs the shell, which calls ls, which runs the shell etc. Just guessing though.

Thanks for replying.

1. Sure, added, and thanks for the heads-up, I didn't realize. The distribution I am using is Ubuntu 14.04.

2. I copied '/bin/bash' to glen's home directory when I logged in as root, so the bash copy was indeed owned by root(I double-checked using 'ls -l'), and its setuid bit was turned on. Given the points above, if it behaved normally, I should get the root prompt, but somehow I did not.

3. '/bin/sh' was copied using root account as well, so it shouldn't be a surprise to have the root prompt here?

4. Did you change the $PATH variable after creating the 'ls' shell script as I did?
Or this is something particular to my distribution?

Actually, I tried both 'current dir ie '.'
and '~:$PATH' . Both had the same effect.

It may be something to do with the $PROMPT_COMMAND not being exported in your env, as it is exported in mine.

Also, Ubuntu uses dash as the target of the 'sh' link .

And why I was not able to get the pound sign when I ran the '/bin/bash' copy which was created by root with its setuid bit turned on?

~/ls is a script in your case, there is no way to use setuid bit on a script. It has no any meaning.
you can try strace -f -o /tmp/logfile <your command> to check what's happening (and you will see what was really executed)

$berndbausch: I think you are right. It indeed appears that doing so would get my shell stuck in some sort of loop. If I press 'CTRL-C' soon after I call 'bash', and after that keep pressing 'CTRL-D', it will keep exiting from sub-shells. It will take some time to exit from certain amount of sub-shells to reach the outermost shell(the shell I started from), and the number of sub-shells being exited from seems to be proportional to the length of time interval between when I called 'bash' and when I pressed ' CTRL-C'.

I was not trying to run the shell script 'ls' as a setuid program, but rather trying to run some other compiled setuid program which would call 'ls' to invoke a bash under root privilege, but it did not work, nor did it work when I call a bash copy owned by root with its setuid bit on. It would invoke a sub-shell though, and the prompt sign changed from '$' to 'bash-4.3$', but why was it not the pound sign as the prompt?

I think bash simply ignores setuid flag (refuses to change user id). But need to check source code to be sure
http://unix.stackexchange.com/questi...effect-on-bash

I see. I just experimented with 'tcsh' and it did not work either. It seems that I can only start a shell under root privilege in this manner with 'sh'. Thanks for the clarification. It really helped.

And profuse thanks to everyone who helped me in this thread!

dash works too.
(if you really want to say thanks just click on yes)

Yeap, dash works too. If you don't mind me asking, what is the yes button for? (I mean except for the obvious reason right besides it saying that I think this reply helped me)

that is the main purpose, just saying thanks. Actually you can find reputation on the left side which is more or less the number of clicks (thanks) you got. You can check the rules and reputation system of this forum if you need detailed information.