0

Hello stackoverflow guys,

I have written a C program that simply invokes a bash shell using system("/bin/bash")

If i enable the setuid permission bit and execute the program, the invoked shell does not have euid set to 0. This is ok, because we know that bash shell drop privileges.

BUT if i change /bin/sh to point to /bin/bash using sudo ln -s /bin/bash /bin/sh

and then execute system with /bin/sh as an argument then the new invoked shell has euid=0.

I am working on ubuntu 10.04

Why this happens?

user1506450
  • 11
  • 1
  • 3
  • Are you sure `/bin/sh` was not already pointing to someting else before you hit `ln -s /bin/bash /bin/sh`? Maybe you need to force symlink creation (no need of specifying path if command and link stand on same directory): `ln -sf bash /bin/sh` – F. Hauri - Give Up GitHub Nov 03 '12 at 13:54
  • Yes i am sure, actually i did a sudo rm /bin/sh – user1506450 Nov 03 '12 at 14:01

1 Answers1

4

it's a "weird" feature of a debian patch: bash_4.2-5.diff bash as /bin/sh works as in POSIX mode, and a POSIX shell (like dash) does not drop privilege (neither bash with -p or bash symlinked as /bin/sh in debian/ubuntu)

drizzt
  • 737
  • 1
  • 7
  • 14