From which version does Bash drop privileges?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite
3












I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.






share|improve this question





















  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23














up vote
5
down vote

favorite
3












I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.






share|improve this question





















  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23












up vote
5
down vote

favorite
3









up vote
5
down vote

favorite
3






3





I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.






share|improve this question













I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.








share|improve this question












share|improve this question




share|improve this question








edited Jun 22 at 9:31
























asked Jun 21 at 9:03









Nark

335




335











  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23
















  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23















Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
– Kusalananda
Jun 21 at 9:15




Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
– Kusalananda
Jun 21 at 9:15












Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
– Stéphane Chazelas
Jun 21 at 9:24




Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
– Stéphane Chazelas
Jun 21 at 9:24












@Kusalananda So the system does drop privileges on a /bin/bash right?
– Nark
Jun 21 at 9:26




@Kusalananda So the system does drop privileges on a /bin/bash right?
– Nark
Jun 21 at 9:26












(sorry, it should be that would not help in my comment about)
– Stéphane Chazelas
Jun 21 at 9:32




(sorry, it should be that would not help in my comment about)
– Stéphane Chazelas
Jun 21 at 9:32




1




1




Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
– Stéphane Chazelas
Jun 21 at 10:23




Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
– Stéphane Chazelas
Jun 21 at 10:23










1 Answer
1






active

oldest

votes

















up vote
2
down vote













Current version



Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




Historical versions



You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



 if (running_setuid && privileged_mode == 0)
disable_priv_mode ();


Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



 case 'p':
if (on_or_off == '+')

setuid (current_user.uid);
setgid (current_user.gid);
current_user.euid = current_user.uid;
current_user.egid = current_user.gid;






share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451048%2ffrom-which-version-does-bash-drop-privileges%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote













    Current version



    Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




    If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




    Historical versions



    You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



    Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



    To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



     if (running_setuid && privileged_mode == 0)
    disable_priv_mode ();


    Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



     case 'p':
    if (on_or_off == '+')

    setuid (current_user.uid);
    setgid (current_user.gid);
    current_user.euid = current_user.uid;
    current_user.egid = current_user.gid;






    share|improve this answer

























      up vote
      2
      down vote













      Current version



      Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




      If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




      Historical versions



      You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



      Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



      To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



       if (running_setuid && privileged_mode == 0)
      disable_priv_mode ();


      Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



       case 'p':
      if (on_or_off == '+')

      setuid (current_user.uid);
      setgid (current_user.gid);
      current_user.euid = current_user.uid;
      current_user.egid = current_user.gid;






      share|improve this answer























        up vote
        2
        down vote










        up vote
        2
        down vote









        Current version



        Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




        If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




        Historical versions



        You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



        Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



        To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



         if (running_setuid && privileged_mode == 0)
        disable_priv_mode ();


        Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



         case 'p':
        if (on_or_off == '+')

        setuid (current_user.uid);
        setgid (current_user.gid);
        current_user.euid = current_user.uid;
        current_user.egid = current_user.gid;






        share|improve this answer













        Current version



        Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




        If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




        Historical versions



        You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



        Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



        To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



         if (running_setuid && privileged_mode == 0)
        disable_priv_mode ();


        Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



         case 'p':
        if (on_or_off == '+')

        setuid (current_user.uid);
        setgid (current_user.gid);
        current_user.euid = current_user.uid;
        current_user.egid = current_user.gid;







        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered Jul 18 at 10:25









        JigglyNaga

        2,556623




        2,556623






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451048%2ffrom-which-version-does-bash-drop-privileges%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?