- file permissions
- Posted by faeychild on December 20th, 2003
I have been reading Linuxmagazine on line
and stumbled across a bash script operation
that leaves me sorely puzzled.
My tests so far have been to create a test script file
called fileperm.
---------
[nykysle@unimatrix nykysle]$ cat fileperm
#!/bin/bash
echo 'file works'
-------------
which is owned by root and has NO execute permissions
---------------
[nykysle@unimatrix nykysle]$ ls -l fileperm
-rw-r--r-- 1 root root 30 Dec 20 12:34 fileperm
--------------
If I attempt to execute the file .
------------
[nykysle@unimatrix nykysle]$ ./fileperm
bash: ./fileperm: Permission denied
-------------
I get bounced, no suprises her.
But if I start another shell, it executes!
--------------
[nykysle@unimatrix nykysle]$ bash fileperm
file works
[nykysle@unimatrix nykysle]$
------------
Does this mean I can bypass permissions, and
execute any file, by starting another shell?
How secure is this?
--
faeychild.
- Posted by Chris F.A. Johnson on December 20th, 2003
On Sat, 20 Dec 2003 at 02:48 GMT, faeychild wrote:
Or:
bash < fileperm
Or:
cp fileperm tony
../tony
If you can read the file, you can cause it to be interpreted by
bash in many ways. If you don't want non-root user to read it (and
thus be able to execute the contents), remove the read permissions:
chmod go-r fileperm
--
Chris F.A. Johnson http://cfaj.freeshell.org
================================================== =================
My code (if any) in this post is copyright 2003, Chris F.A. Johnson
and may be copied under the terms of the GNU General Public License
- Posted by Dave Brown on December 21st, 2003
In article <3fe3b877@news.comindico.com.au>, faeychild wrote:
To answer to your first question, you have to figure out what it is you're
executing. In step 1, you're executing 'fileperm'; in step 2, you're
executing 'bash'. The rules are very specific.
Now if "any file" is a binary executable, as opposed to a shell script,
you might check out:
$ bash any_file
and see if you've discovered an insecurity. 
--
Dave Brown Austin, TX
- Posted by Ed Murphy on December 21st, 2003
On Sun, 21 Dec 2003 05:43:54 +0000, Hactar wrote:
Whoa! Exactly how powerful *is* this? (It does seem to have
limitations; '/lib/ld-linux.so.2 echo foo' fails, for instance.)
- Posted by Chris F.A. Johnson on December 21st, 2003
On Sun, 21 Dec 2003 at 06:12 GMT, Ed Murphy wrote:
It doesn't search the PATH:
/lib/ld-linux.so.2 /bin/echo foo
If the file is a readable and valid binary, it will execute it.
--
Chris F.A. Johnson http://cfaj.freeshell.org
================================================== =================
My code (if any) in this post is copyright 2003, Chris F.A. Johnson
and may be copied under the terms of the GNU General Public License
- Posted by Ed Murphy on December 21st, 2003
On Sun, 21 Dec 2003 06:54:40 +0000, Hactar wrote:
Sounds like you can use this to get around a partition being mounted
no-execute. (Although the difference between that, and simply copying
the binary to /tmp and running it from there, is probably rather subtle.)
- Posted by Dave Brown on December 21st, 2003
In article <bs3bv4$uuj$1@pc.tampabay.rr.com>, Hactar wrote:
How can a "shared object" be executable? I thought there had to be some
kind of runtime linking. Is the shell doing something here that I don't
know about? (As you might detect, I'm not in my realm of knowledge.)
--
Dave Brown Austin, TX
