From which version does Bash drop privileges?
Clash Royale CLAN TAG#URR8PPP
up vote
5
down vote
favorite
I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash")
in order to obtain a root shell.
Then I read the documentation for system()
.
It says :
system()
will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which/bin/sh
is bash version 2, since bash 2 drops privileges on startup.
The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash")
, I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?
EDIT: /bin/bash
just drops privileges, while /bin/dash
or /bin/sh
don't.
After reading comments from @StéphaneChazelas, EDIT2 :
- check this link for more explaination and accuracy about bash dropping privileges.
-p
option can be used to be sure to keep privileges when the bash spawns.
bash shell system-calls version privileges
 |Â
show 1 more comment
up vote
5
down vote
favorite
I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash")
in order to obtain a root shell.
Then I read the documentation for system()
.
It says :
system()
will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which/bin/sh
is bash version 2, since bash 2 drops privileges on startup.
The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash")
, I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?
EDIT: /bin/bash
just drops privileges, while /bin/dash
or /bin/sh
don't.
After reading comments from @StéphaneChazelas, EDIT2 :
- check this link for more explaination and accuracy about bash dropping privileges.
-p
option can be used to be sure to keep privileges when the bash spawns.
bash shell system-calls version privileges
Your title says/bin/sh
, but your code says/bin/bash
. Which one is it? Related: stackoverflow.com/questions/13209215/â¦
â Kusalananda
Jun 21 at 9:15
Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can usebash -p
to keep your euid/egid, but that would help if they have been dropped by the shell called bysystem()
itself beforehand.
â Stéphane Chazelas
Jun 21 at 9:24
@Kusalananda So the system does drop privileges on a /bin/bash right?
â Nark
Jun 21 at 9:26
(sorry, it should be that would not help in my comment about)
â Stéphane Chazelas
Jun 21 at 9:32
1
Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
â Stéphane Chazelas
Jun 21 at 10:23
 |Â
show 1 more comment
up vote
5
down vote
favorite
up vote
5
down vote
favorite
I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash")
in order to obtain a root shell.
Then I read the documentation for system()
.
It says :
system()
will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which/bin/sh
is bash version 2, since bash 2 drops privileges on startup.
The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash")
, I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?
EDIT: /bin/bash
just drops privileges, while /bin/dash
or /bin/sh
don't.
After reading comments from @StéphaneChazelas, EDIT2 :
- check this link for more explaination and accuracy about bash dropping privileges.
-p
option can be used to be sure to keep privileges when the bash spawns.
bash shell system-calls version privileges
I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash")
in order to obtain a root shell.
Then I read the documentation for system()
.
It says :
system()
will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which/bin/sh
is bash version 2, since bash 2 drops privileges on startup.
The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash")
, I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?
EDIT: /bin/bash
just drops privileges, while /bin/dash
or /bin/sh
don't.
After reading comments from @StéphaneChazelas, EDIT2 :
- check this link for more explaination and accuracy about bash dropping privileges.
-p
option can be used to be sure to keep privileges when the bash spawns.
bash shell system-calls version privileges
edited Jun 22 at 9:31
asked Jun 21 at 9:03
Nark
335
335
Your title says/bin/sh
, but your code says/bin/bash
. Which one is it? Related: stackoverflow.com/questions/13209215/â¦
â Kusalananda
Jun 21 at 9:15
Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can usebash -p
to keep your euid/egid, but that would help if they have been dropped by the shell called bysystem()
itself beforehand.
â Stéphane Chazelas
Jun 21 at 9:24
@Kusalananda So the system does drop privileges on a /bin/bash right?
â Nark
Jun 21 at 9:26
(sorry, it should be that would not help in my comment about)
â Stéphane Chazelas
Jun 21 at 9:32
1
Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
â Stéphane Chazelas
Jun 21 at 10:23
 |Â
show 1 more comment
Your title says/bin/sh
, but your code says/bin/bash
. Which one is it? Related: stackoverflow.com/questions/13209215/â¦
â Kusalananda
Jun 21 at 9:15
Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can usebash -p
to keep your euid/egid, but that would help if they have been dropped by the shell called bysystem()
itself beforehand.
â Stéphane Chazelas
Jun 21 at 9:24
@Kusalananda So the system does drop privileges on a /bin/bash right?
â Nark
Jun 21 at 9:26
(sorry, it should be that would not help in my comment about)
â Stéphane Chazelas
Jun 21 at 9:32
1
Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
â Stéphane Chazelas
Jun 21 at 10:23
Your title says
/bin/sh
, but your code says /bin/bash
. Which one is it? Related: stackoverflow.com/questions/13209215/â¦â Kusalananda
Jun 21 at 9:15
Your title says
/bin/sh
, but your code says /bin/bash
. Which one is it? Related: stackoverflow.com/questions/13209215/â¦â Kusalananda
Jun 21 at 9:15
Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use
bash -p
to keep your euid/egid, but that would help if they have been dropped by the shell called by system()
itself beforehand.â Stéphane Chazelas
Jun 21 at 9:24
Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use
bash -p
to keep your euid/egid, but that would help if they have been dropped by the shell called by system()
itself beforehand.â Stéphane Chazelas
Jun 21 at 9:24
@Kusalananda So the system does drop privileges on a /bin/bash right?
â Nark
Jun 21 at 9:26
@Kusalananda So the system does drop privileges on a /bin/bash right?
â Nark
Jun 21 at 9:26
(sorry, it should be that would not help in my comment about)
â Stéphane Chazelas
Jun 21 at 9:32
(sorry, it should be that would not help in my comment about)
â Stéphane Chazelas
Jun 21 at 9:32
1
1
Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
â Stéphane Chazelas
Jun 21 at 10:23
Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
â Stéphane Chazelas
Jun 21 at 10:23
 |Â
show 1 more comment
1 Answer
1
active
oldest
votes
up vote
2
down vote
Current version
Recent versions of bash will drop privileges, unless it was started with -p
. From the section of bash(1) describing the privileged mode:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.
Historical versions
You asked "From which version...?". The part of system()
that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.
Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.
To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:
if (running_setuid && privileged_mode == 0)
disable_priv_mode ();
Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p
:
case 'p':
if (on_or_off == '+')
setuid (current_user.uid);
setgid (current_user.gid);
current_user.euid = current_user.uid;
current_user.egid = current_user.gid;
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Current version
Recent versions of bash will drop privileges, unless it was started with -p
. From the section of bash(1) describing the privileged mode:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.
Historical versions
You asked "From which version...?". The part of system()
that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.
Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.
To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:
if (running_setuid && privileged_mode == 0)
disable_priv_mode ();
Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p
:
case 'p':
if (on_or_off == '+')
setuid (current_user.uid);
setgid (current_user.gid);
current_user.euid = current_user.uid;
current_user.egid = current_user.gid;
add a comment |Â
up vote
2
down vote
Current version
Recent versions of bash will drop privileges, unless it was started with -p
. From the section of bash(1) describing the privileged mode:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.
Historical versions
You asked "From which version...?". The part of system()
that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.
Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.
To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:
if (running_setuid && privileged_mode == 0)
disable_priv_mode ();
Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p
:
case 'p':
if (on_or_off == '+')
setuid (current_user.uid);
setgid (current_user.gid);
current_user.euid = current_user.uid;
current_user.egid = current_user.gid;
add a comment |Â
up vote
2
down vote
up vote
2
down vote
Current version
Recent versions of bash will drop privileges, unless it was started with -p
. From the section of bash(1) describing the privileged mode:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.
Historical versions
You asked "From which version...?". The part of system()
that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.
Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.
To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:
if (running_setuid && privileged_mode == 0)
disable_priv_mode ();
Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p
:
case 'p':
if (on_or_off == '+')
setuid (current_user.uid);
setgid (current_user.gid);
current_user.euid = current_user.uid;
current_user.egid = current_user.gid;
Current version
Recent versions of bash will drop privileges, unless it was started with -p
. From the section of bash(1) describing the privileged mode:
If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.
Historical versions
You asked "From which version...?". The part of system()
that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.
Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.
To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:
if (running_setuid && privileged_mode == 0)
disable_priv_mode ();
Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p
:
case 'p':
if (on_or_off == '+')
setuid (current_user.uid);
setgid (current_user.gid);
current_user.euid = current_user.uid;
current_user.egid = current_user.gid;
answered Jul 18 at 10:25
JigglyNaga
2,556623
2,556623
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451048%2ffrom-which-version-does-bash-drop-privileges%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Your title says
/bin/sh
, but your code says/bin/bash
. Which one is it? Related: stackoverflow.com/questions/13209215/â¦â Kusalananda
Jun 21 at 9:15
Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use
bash -p
to keep your euid/egid, but that would help if they have been dropped by the shell called bysystem()
itself beforehand.â Stéphane Chazelas
Jun 21 at 9:24
@Kusalananda So the system does drop privileges on a /bin/bash right?
â Nark
Jun 21 at 9:26
(sorry, it should be that would not help in my comment about)
â Stéphane Chazelas
Jun 21 at 9:32
1
Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
â Stéphane Chazelas
Jun 21 at 10:23