LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-19-2015, 02:08 AM   #1
glenjoker
LQ Newbie
 
Registered: Sep 2015
Distribution: Ubuntu 14.04
Posts: 24

Rep: Reputation: Disabled
Questions regarding invoking bash


Hi guys, I have a few questions regarding invoking bash. Hope that you can help me out.

1. I logged in as root, copied /bin/bash to the home directory of one of my normal users, say 'glen', and changed the permission of this bash copy to '4755'.(I know this is not wise, and I was doing this just for testing purpose.) Then, I switched to my 'glen' account, and ran this bash copy in my home directory, so I thought that I would invoke a bash under root privilege with a pound sign as prompt; however, the new prompt I got was 'bash-4.3$' and no root privilege at all (I tested it by accessing some restricted files). In contrast, If I copied '/bin/sh' instead of '/bin/bash', and repeated what I did, then I would indeed run the sh shell under root privilege with the prompt appearing as '#'. WHY?

2. I created a shell script named 'ls', edited it content as following:
Code:
/bin/bash
, and changed the permission of this file from '664'(default value) to '775'. After that, I added my working directory at the beginning of $PATH and exported $PATH. What happened next was that from that point on, whenever I called '/bin/bash' or 'ls'(which is the equivalent to call '/bin/bash'), the terminal would get stuck as in it would output a blank line and nothing else, returning no prompt or whatsoever. However, if I had named the shell script otherwise, such as 'testing' or 'pwd', this problem would not occur. WHY?
 
Old 10-19-2015, 02:30 AM   #2
ondoho
Senior Member
 
Registered: Dec 2013
Posts: 4,176

Rep: Reputation: 822Reputation: 822Reputation: 822Reputation: 822Reputation: 822Reputation: 822Reputation: 822
^ it probably gets stuck in a loop or something.

the real question here is:

why on earth would you want to do something like that?

it's like deliberately scratching my hard disk, then starting forum threads inquiring why my hard disk isn't working anymore (exact sector numbers please).
 
Old 10-19-2015, 03:05 AM   #3
glenjoker
LQ Newbie
 
Registered: Sep 2015
Distribution: Ubuntu 14.04
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
^ it probably gets stuck in a loop or something.

the real question here is:

why on earth would you want to do something like that?

it's like deliberately scratching my hard disk, then starting forum threads inquiring why my hard disk isn't working anymore (exact sector numbers please).
Thanks for replying. To answer your question why I am doing this is because I am learning some basics about security, and am instructed to exploit the security flaw in this program:
Code:
int main()
{
system("ls");
return 0;
}
If it was, as you said, stuck in an infinite loop, what loop would that be?
 
Old 10-19-2015, 03:05 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
1. Please add the distro (& version) you are using to your profiler, as this can help us to help you

2. I can reproduce the first thing : chmod 4755 (local version of) bash. The reason you don't get a root prompt is because you did that as glen, not as root.
Contrary to urban legend, the suid bit makes a program run as the file 'owner', not root, unless root owns it already.

3. the 'sh' one is odd. On my Centos 6.7 sh is just a symlink to bash anyway, but even for the real sh (posix shell), you shouldn't get a root prompt unless the ownership was root; please do an 'ls -l' and check that.

3. I don't get any probs with the 'ls' script; it just creates another shell level.
Try checking
Code:
echo $SHLVL
during these experiments.

Also, make sure you clean up between each experiment, or it will become impossible to debug

HTH
 
1 members found this post helpful.
Old 10-19-2015, 03:07 AM   #5
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora
Posts: 1,687

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
Quote:
Originally Posted by glenjoker View Post

2. I created a shell script named 'ls', edited it content as following:
Code:
/bin/bash
, and changed the permission of this file from '664'(default value) to '775'. After that, I added my working directory at the beginning of $PATH and exported $PATH. What happened next was that from that point on, whenever I called '/bin/bash' or 'ls'(which is the equivalent to call '/bin/bash'), the terminal would get stuck as in it would output a blank line and nothing else, returning no prompt or whatsoever. However, if I had named the shell script otherwise, such as 'testing' or 'pwd', this problem would not occur. WHY?
I'd say something in one of the many profiles and bashrc files that are executed when a shell starts up calls ls, which runs the shell, which calls ls, which runs the shell etc. Just guessing though.
 
1 members found this post helpful.
Old 10-19-2015, 03:29 AM   #6
glenjoker
LQ Newbie
 
Registered: Sep 2015
Distribution: Ubuntu 14.04
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by chrism01 View Post
1. Please add the distro (& version) you are using to your profiler, as this can help us to help you

2. I can reproduce the first thing : chmod 4755 (local version of) bash. The reason you don't get a root prompt is because you did that as glen, not as root.
Contrary to urban legend, the suid bit makes a program run as the file 'owner', not root, unless root owns it already.

3. the 'sh' one is odd. On my Centos 6.7 sh is just a symlink to bash anyway, but even for the real sh (posix shell), you shouldn't get a root prompt unless the ownership was root; please do an 'ls -l' and check that.

3. I don't get any probs with the 'ls' script; it just creates another shell level.
Try checking
Code:
echo $SHLVL
during these experiments.

Also, make sure you clean up between each experiment, or it will become impossible to debug

HTH
Thanks for replying.

1. Sure, added, and thanks for the heads-up, I didn't realize. The distribution I am using is Ubuntu 14.04.

2. I copied '/bin/bash' to glen's home directory when I logged in as root, so the bash copy was indeed owned by root(I double-checked using 'ls -l'), and its setuid bit was turned on. Given the points above, if it behaved normally, I should get the root prompt, but somehow I did not.

3. '/bin/sh' was copied using root account as well, so it shouldn't be a surprise to have the root prompt here?

4. Did you change the $PATH variable after creating the 'ls' shell script as I did?
Code:
export PATH=~:$PATH
Or this is something particular to my distribution?
 
Old 10-19-2015, 03:58 AM   #7
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
Actually, I tried both 'current dir ie '.'
Code:
$ PATH=.:$PATH
$ ls
$ ./ls
$ /bin/bash
$ exit
and '~:$PATH' . Both had the same effect.

It may be something to do with the $PROMPT_COMMAND not being exported in your env, as it is exported in mine.

Also, Ubuntu uses dash as the target of the 'sh' link .
 
Old 10-19-2015, 06:18 AM   #8
glenjoker
LQ Newbie
 
Registered: Sep 2015
Distribution: Ubuntu 14.04
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by chrism01 View Post
Actually, I tried both 'current dir ie '.'
Code:
$ PATH=.:$PATH
$ ls
$ ./ls
$ /bin/bash
$ exit
and '~:$PATH' . Both had the same effect.

It may be something to do with the $PROMPT_COMMAND not being exported in your env, as it is exported in mine.

Also, Ubuntu uses dash as the target of the 'sh' link .
And why I was not able to get the pound sign when I ran the '/bin/bash' copy which was created by root with its setuid bit turned on?
 
Old 10-19-2015, 07:29 AM   #9
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
~/ls is a script in your case, there is no way to use setuid bit on a script. It has no any meaning.
you can try strace -f -o /tmp/logfile <your command> to check what's happening (and you will see what was really executed)
 
Old 10-19-2015, 08:00 AM   #10
glenjoker
LQ Newbie
 
Registered: Sep 2015
Distribution: Ubuntu 14.04
Posts: 24

Original Poster
Rep: Reputation: Disabled
$berndbausch: I think you are right. It indeed appears that doing so would get my shell stuck in some sort of loop. If I press 'CTRL-C' soon after I call 'bash', and after that keep pressing 'CTRL-D', it will keep exiting from sub-shells. It will take some time to exit from certain amount of sub-shells to reach the outermost shell(the shell I started from), and the number of sub-shells being exited from seems to be proportional to the length of time interval between when I called 'bash' and when I pressed ' CTRL-C'.

Quote:
Originally Posted by pan64 View Post
~/ls is a script in your case, there is no way to use setuid bit on a script. It has no any meaning.
you can try strace -f -o /tmp/logfile <your command> to check what's happening (and you will see what was really executed)
I was not trying to run the shell script 'ls' as a setuid program, but rather trying to run some other compiled setuid program which would call 'ls' to invoke a bash under root privilege, but it did not work, nor did it work when I call a bash copy owned by root with its setuid bit on. It would invoke a sub-shell though, and the prompt sign changed from '$' to 'bash-4.3$', but why was it not the pound sign as the prompt?

Last edited by glenjoker; 10-19-2015 at 08:02 AM.
 
Old 10-19-2015, 08:22 AM   #11
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
I think bash simply ignores setuid flag (refuses to change user id). But need to check source code to be sure
http://unix.stackexchange.com/questi...effect-on-bash

Last edited by pan64; 10-19-2015 at 08:24 AM.
 
1 members found this post helpful.
Old 10-19-2015, 08:37 AM   #12
glenjoker
LQ Newbie
 
Registered: Sep 2015
Distribution: Ubuntu 14.04
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
I think bash simply ignores setuid flag (refuses to change user id). But need to check source code to be sure
http://unix.stackexchange.com/questi...effect-on-bash
I see. I just experimented with 'tcsh' and it did not work either. It seems that I can only start a shell under root privilege in this manner with 'sh'. Thanks for the clarification. It really helped.

And profuse thanks to everyone who helped me in this thread!
 
Old 10-19-2015, 08:41 AM   #13
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
dash works too.
(if you really want to say thanks just click on yes)
 
1 members found this post helpful.
Old 10-19-2015, 08:47 AM   #14
glenjoker
LQ Newbie
 
Registered: Sep 2015
Distribution: Ubuntu 14.04
Posts: 24

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
dash works too.
(if you really want to say thanks just click on yes)
Yeap, dash works too. If you don't mind me asking, what is the yes button for? (I mean except for the obvious reason right besides it saying that I think this reply helped me)
 
Old 10-19-2015, 08:54 AM   #15
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,104

Rep: Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267Reputation: 2267
that is the main purpose, just saying thanks. Actually you can find reputation on the left side which is more or less the number of clicks (thanks) you got. You can check the rules and reputation system of this forum if you need detailed information.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Invoking parameterized functions in ad-hoc bash scripts. LXer Syndicated Linux News 0 04-28-2013 02:22 PM
invoking awk like perl or bash casperdaghost Linux - Newbie 5 12-20-2011 06:11 AM
Invoking java from a bash terminal via shell script fails under Mint Debian rizwanjavaid Programming 3 02-16-2011 02:36 PM
LXer: Invoking Bash and Start-Up Files for Your Open Source Software Needs LXer Syndicated Linux News 0 06-16-2010 06:32 AM
bash script--variables have unexpected values on invoking mplayer stairwayoflight Programming 5 07-08-2007 12:17 PM


All times are GMT -5. The time now is 10:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration