how to make a shell execute with suid

mikem

1/21/24, 9:04 AM

I'm trying to suid a shell and it's not working. I need help understanding why, and how to fix it...

I'm following these steps (as root)

cp /usr/bin/bash /usr/bin/bash-emergency
chmod 4755 /usr/bin/bash-emergency

bash-emergency is owned by root:root

I would expect that this should execute bash-emergency as root, resulting in a root shell

I know all the reasons not to do this. This is in a lab. su and sudo, for the sake of this test, are not an option. I need a user to be able to get a root shell without having to authenticate or otherwise be challenged after their initial login.

I'm hoping to be able to do this with a simple suid executable rather than changing the non-root user's UID to 0.

What am I doing wrong?

442

0 + 6

shell

bash

ksh

suid

unix-shell

doneal24

1/21/24, 6:57 PM

You are doing nothing wrong other that breaking all security measures on the system and possibly on the network. When you execute your suid binary, what is the output of the `id` command?

djdomi

1/21/24, 8:16 PM

what are you trying to solve? looks for me like a homework

mikem

1/22/24, 5:22 AM

@doneal24 the output is 'uid=1000(ec2-user) gid=1000(ec2-user) euid=0(root) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)' Notice the EUID is 0, but the UID is still my rergular UID. In this condition, some commands run as root (ie. touch x), but programs that actually check for root give the message "You must be root to run this command."

mikem

1/22/24, 5:27 AM

@djdomi Definitely not homework. I am setting up a Unix class environment where the students will have direct access to root -- including the ability to render su and sudo useless. I won't really have a way to get to the console, boot into single-user mode, and fix them. My goal here is, hoping the students haven't also broken ssh, that I can pop in and use an "emergency shell" to fix the damage they did... ie broken pam, broken sudoers, etc. This happened the last time I taught the class... just trying to find a way to fix it if it happens again.

mikem

1/22/24, 5:29 AM

The behavior seems consistent with bash and ksh, so I don't think it's shell-specific.

mikem

1/24/24, 5:21 AM

Just a bump -- anyone have any ideas? Thank you!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: how to make a shell execute with suid

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.