You are not logged in.
Pages: 1
Hello,
I'm following some old exercises on site http://www.doc.ic.ac.uk/~wjk/UnixIntro/Exercise3.html
One of exercises tells me to:
Team up with a partner. Copy /bin/sh to your home directory. Type "chmod +s sh". Check the permissions on sh in the directory listing. Now ask your partner to change into your home directory and run the program ./sh. Ask them to run the id command. What's happened? Your partner can type exit to return to their shell.
So here's sh copied to /tmp/cwiczenia:
[mk@linux cwiczenia]$ chmod +x+s sh
[mk@linux cwiczenia]$ ls -l
razem 772
-r--r--r-- 1 mk users 0 11-26 15:34 plik
-rwsr-sr-x 1 mk users 787312 11-26 15:43 sh
And now I log in as other user:
[mk@linux ~]$ su kinia -
[kinia@linux mk]$ /tmp/cwiczenia/sh
sh-4.3$ whoami
kinia
What I'm doing wrong? Is Archlinux having some other security policy which disables me to do the trick? I expect that sh will show that whoami i s mk (my user name).
Wikipedia says:
setuid and setgid (short for "set user ID upon execution" and "set group ID upon execution", respectively)[1] are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively and to change behaviour in directories.
But also I don't have privileges of user mk while being logged in into that /tmp/sh:
sh-4.3$ ls -l
total 772
-r--r--r-- 1 mk users 0 Nov 26 15:34 plik
-rwsr-sr-x 1 mk users 787312 Nov 26 15:43 sh
sh-4.3$ chmod 644 plik
chmod: changing permissions of 'plik': Operation not permitted
What I'm doing wrong?
Last edited by mkkot (2016-11-27 11:24:08)
Offline
Unless you changed it from the default, on Arch Linux /bin/sh is actually a symbolic link to /bin/bash. When you copied it to /tmp/cwiczenia, you actually copied /bin/bash (you may notice the version string in the prompt matching the version of bash).
And it turns out that bash seems to drop all UIDs/GIDs other than the real ones, and your experiment fails.
If you had done the whole thing with a POSIX-compatible shell (e.g. dash), you would see something like this:
$ id
uid=1001(kinia) gid=1001(kinia) euid=1000(mk) egid=1000(mk) groups=1000(mk),...
$ whois
mk
Last edited by ayekat (2016-11-26 15:57:46)
Offline
Ok, that explains a lot! Thank you. I thought that there must be some non-standard security enhancement which doesn't allow me to do what I want and I was right about it.
Offline
Pages: 1