- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: suid script help
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2005 01:37 AM
тАО10-18-2005 01:37 AM
I did a 4755 on the script and it starts with a #!/usr/bin/sh but when I test it under my userid it comes back.
Not Superuser
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2005 01:52 AM
тАО10-18-2005 01:52 AM
Re: suid script help
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2005 01:58 AM
тАО10-18-2005 01:58 AM
Re: suid script help
will return
exptm=89 # That is the number of days till expiration.
The script runs fine as root, but when I run it as a user it comes back
Not Superuser on the next line instead of the exptm=89
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2005 02:46 AM
тАО10-18-2005 02:46 AM
Re: suid script help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2005 02:50 AM
тАО10-18-2005 02:50 AM
Re: suid script help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-18-2005 04:53 AM
тАО10-18-2005 04:53 AM
SolutionI would use "C" programming with a little help :
#####################################
#include
#include
#define SCRIPT "/usr/local/bin/security/yourscript.sh "
main (argc,argv)
char **argv;
int argc;
{
int i;
char comm[200];
(void)strcat(comm,SCRIPT);
/* printf("commande : %s\n",comm); */
/* printf("nb arg : %d\n",argc); */
for(i=1; i < argc ; i++) {
(void)strcat(comm,argv[i]);
(void)strcat(comm," ");
}
/* printf("commande : %s\n",comm); */
system(comm);
}
######################################
compile this program (as root)
cc pgm.c -o pgm
mv pgm /usr/local/bin/security/.
(adapt for your directory)
The script
with 0700 permission.
the program "pgm" will call the script with relevant parameter.
Please note full path for the script !
the pgm will be owned by root with 4555 permission.
test the script 1st (as root)
Wrapp it
Regards
Jean-Luc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-19-2005 05:12 AM
тАО10-19-2005 05:12 AM
Re: suid script help
Here is the demonstration(my 0700 script just echos "hi"):
I compiled the program:
# cc pgm.c -o pgm
# su fritzr
$ id
uid=13553(fritzr) gid=778(security)
$ ./rootgift ';id'
hi
uid=13553(fritzr) gid=778(security) euid=0(root)
Substitute "id" with "rm -rf *" and an arbitrary user has just wiped your system.
There are two problems with the program: #1, unchecked buffer, #2 (the easier exploit), unchecked execution of arbitrary user arguments at elevated privilege.
I'd suggest the following instead:
#####################################
main ()
{
setreuid(0,0);
system("/usr/lbin/getprpw -m exptm `id -nu`");
}
######################################
compile this program (as root)
cc daysleft.c -o daysleft
mv daysleft
Then make a script
with 0555 permission that runs pgm and parses the output.
daysleft will be owned by root with 4555 permission.
The reasons this *doesn't* create a security hole:
1) There is no unchecked buffer to overflow, and
2) there is no untrusted input run by a privileged program
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-20-2005 04:29 AM
тАО10-20-2005 04:29 AM
Re: suid script help
PATH=/tmp:$PATH ;
echo ksh > /tmp/id ;
chmod 700 /tmp/id ;
./daysleft
Instant root shell.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-20-2005 04:38 AM
тАО10-20-2005 04:38 AM
Re: suid script help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-20-2005 04:59 AM
тАО10-20-2005 04:59 AM
Re: suid script help
#!/usr/bin/ksh
PATH=/usr/bin:/usr/local/bin
exptime=$(grep u_exp /tcb/files/auth/$(echo $LOGNAME | sed "s/^\(.\).*$/\1/")/$LOGNAME | sed "s/.*u_exp#\([^:]*\).*$/\1/")
chgtime=$(grep u_succhg /tcb/files/auth/$(echo $LOGNAME | sed "s/^\(.\).*$/\1/")/$LOGNAME | sed "s/.*u_succhg#\([^:]*\).*$/\1/")
expires_on=$(gdate -d "January 1, 1970 $chgtime seconds $exptime seconds" +%Y%m%d)
expires_less_seven_days=$(gdate -d "$expires_on 7 days ago" +%Y%m%d)
today=$(gdate +%Y%m%d)
echo Expires $expires_on, less seven days $expires_less_seven_days v $today $((expires_on-$today)) ...
if [ $today -ge $expires_less_seven_days ]
then
echo "Your password is expiring soon!"
exit 1
else
echo "No password change coming this week."
fi
exit 0