SUID problem
Pavel Kankovsky
peak na argo.troja.mff.cuni.cz
Neděle Duben 21 19:00:34 CEST 2002
On Fri, 19 Apr 2002, Richard Willmann wrote:
> #define REAL_PATH "/usr/local/abc/abc.sh"
> main(ac, av)
> char **av;
> {
> execv(REAL_PATH, av);
> }
>
> pricom binarka ma nastavene SUID.
Lidem, co nemaji sklony hazardovat se svym zdravim a zivotem, bych
doporucil aspon vycistit environment (kdyz uz nic jineho), tj. neco
jako:
char *good_envp[] = {
"PATH=/bin:/usr/bin", "TERM=dumb", NULL
};
int
main(int argc, char **argv)
{
setuid(geteuid());
execve(REAL_PATH, argv, good_envp);
return 1;
}
V opacnem pripade (a to zvlaste po pridani setuid(geteuid()), ale neni to
zdaleka nutna podminka) by existovalo asi tak dva a pul tisice zpusobu,
jak okamzite ziskat kontrolu nad uzivatelem, pod kterym abc.sh bezi.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
Další informace o konferenci Linux