0

I'm trying to suid a shell and it's not working. I need help understanding why, and how to fix it...

I'm following these steps (as root)

cp /usr/bin/bash /usr/bin/bash-emergency
chmod 4755 /usr/bin/bash-emergency

bash-emergency is owned by root:root

I would expect that this should execute bash-emergency as root, resulting in a root shell

I know all the reasons not to do this. This is in a lab. su and sudo, for the sake of this test, are not an option. I need a user to be able to get a root shell without having to authenticate or otherwise be challenged after their initial login.

I'm hoping to be able to do this with a simple suid executable rather than changing the non-root user's UID to 0.

What am I doing wrong?

mikem
  • 418
  • 2
  • 7
  • You are doing nothing wrong other that breaking all security measures on the system and possibly on the network. When you execute your suid binary, what is the output of the `id` command? – doneal24 Jan 21 '23 at 18:57
  • what are you trying to solve? looks for me like a homework – djdomi Jan 21 '23 at 20:16
  • @doneal24 the output is 'uid=1000(ec2-user) gid=1000(ec2-user) euid=0(root) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)' Notice the EUID is 0, but the UID is still my rergular UID. In this condition, some commands run as root (ie. touch x), but programs that actually check for root give the message "You must be root to run this command." – mikem Jan 22 '23 at 05:22
  • @djdomi Definitely not homework. I am setting up a Unix class environment where the students will have direct access to root -- including the ability to render su and sudo useless. I won't really have a way to get to the console, boot into single-user mode, and fix them. My goal here is, hoping the students haven't also broken ssh, that I can pop in and use an "emergency shell" to fix the damage they did... ie broken pam, broken sudoers, etc. This happened the last time I taught the class... just trying to find a way to fix it if it happens again. – mikem Jan 22 '23 at 05:27
  • The behavior seems consistent with bash and ksh, so I don't think it's shell-specific. – mikem Jan 22 '23 at 05:29
  • Just a bump -- anyone have any ideas? Thank you! – mikem Jan 24 '23 at 05:21

0 Answers0