[204] in bugtraq
Re: Setuid programs run from shell scripts?
daemon@ATHENA.MIT.EDU (Julian Assange)
Thu Nov 17 15:15:17 1994
Date: Fri, 18 Nov 1994 03:59:19 +0100
From: Julian Assange <proff@suburbia.apana.org.au>
To: Fred Blonder <fred@nasirc.hq.nasa.gov>
Cc: karl@bagpuss.demon.co.uk, Quentin.Fennessy@sematech.org,
fred@nasirc.hq.nasa.gov, mcn@c3serve.c3.lanl.gov, bugtraq@fc.net
In-Reply-To: <199411171611.LAA04177@nasirc.hq.nasa.gov>
On Thu, 17 Nov 1994, Fred Blonder wrote:
> From: Julian Assange <proff@suburbia.apana.org.au>
>
> .
> .
> .
>
> Of course, to make things really interesting, we could have n files,
> comprised of n-1 setuid/setgid scripts and 1 setuid/setgid binary, with
> each script calling the next as its #! argument and the last calling the
> binary. ;-)
>
> The '#!' exec-hack does not work recursively. I just tried it under SunOs 4.1.3
> It generated no diagnostics and exited with status 0, but it also didn't execute
> the target binary.
>
#include <stdio.h>
main(int c, char **v)
{
char s[255];
FILE *fh;
int n=atoi(v[1]);
while (n--)
{
sprintf(s, "f%d", n);
fh=fopen(s, "w");
fprintf(fh, "#!f%d", n+1);
fchmod(fileno(fh), 0700);
fclose(fh);
}
}
Does under linux (300 deep at least). However, linux doesn't permit suid
scripts in anyvent. Other platforms I have not as yet tested.
Proff
