From which version does Bash drop privileges?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite
3












I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.



bash shell system-calls version privileges




share|improve this question





















  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23














up vote
5
down vote

favorite
3












I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.



bash shell system-calls version privileges




share|improve this question





















  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23












up vote
5
down vote

favorite
3









up vote
5
down vote

favorite
3






3





I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.



bash shell system-calls version privileges




share|improve this question













I've been trying to do some bufferoverflow attack, and I tought I could use system("/bin/bash") in order to obtain a root shell.



Then I read the documentation for system().



It says :




system() will not, in fact, work properly from programs with set-user-ID or set-group-ID privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup.




The system I am attaking has a bash version 4.3, and when I use a system("/bin/bash"), I don't get root privileges (of course the initial program I am attacking starts with root privileges). My question is: will system drop privileges only on bash version 2, or will it drop them for any bash that has a version > 2?



EDIT: /bin/bash just drops privileges, while /bin/dash or /bin/sh don't.



After reading comments from @StéphaneChazelas, EDIT2 :



  • check this link for more explaination and accuracy about bash dropping privileges.


  • -p option can be used to be sure to keep privileges when the bash spawns.




bash shell system-calls version privileges





share|improve this question












share|improve this question




share|improve this question








edited Jun 22 at 9:31
























asked Jun 21 at 9:03









Nark

335




335











  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23
















  • Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
    – Kusalananda
    Jun 21 at 9:15










  • Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
    – Stéphane Chazelas
    Jun 21 at 9:24










  • @Kusalananda So the system does drop privileges on a /bin/bash right?
    – Nark
    Jun 21 at 9:26










  • (sorry, it should be that would not help in my comment about)
    – Stéphane Chazelas
    Jun 21 at 9:32






  • 1




    Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
    – Stéphane Chazelas
    Jun 21 at 10:23















Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
– Kusalananda
Jun 21 at 9:15




Your title says /bin/sh, but your code says /bin/bash. Which one is it? Related: stackoverflow.com/questions/13209215/…
– Kusalananda
Jun 21 at 9:15












Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
– Stéphane Chazelas
Jun 21 at 9:24




Depends on the system as well as Debian for instance used to revert that behaviour with a patch for sh IIRC. Note that you can use bash -p to keep your euid/egid, but that would help if they have been dropped by the shell called by system() itself beforehand.
– Stéphane Chazelas
Jun 21 at 9:24












@Kusalananda So the system does drop privileges on a /bin/bash right?
– Nark
Jun 21 at 9:26




@Kusalananda So the system does drop privileges on a /bin/bash right?
– Nark
Jun 21 at 9:26












(sorry, it should be that would not help in my comment about)
– Stéphane Chazelas
Jun 21 at 9:32




(sorry, it should be that would not help in my comment about)
– Stéphane Chazelas
Jun 21 at 9:32




1




1




Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
– Stéphane Chazelas
Jun 21 at 10:23




Related: bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660
– Stéphane Chazelas
Jun 21 at 10:23










1 Answer
1






active

oldest

votes

















up vote
2
down vote













Current version



Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




Historical versions



You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



 if (running_setuid && privileged_mode == 0)
 disable_priv_mode ();


Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



 case 'p':
 if (on_or_off == '+')
 
 setuid (current_user.uid);
 setgid (current_user.gid);
 current_user.euid = current_user.uid;
 current_user.egid = current_user.gid;





share|improve this answer





















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451048%2ffrom-which-version-does-bash-drop-privileges%23new-answer', 'question_page');

    );

    Post as a guest

















    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote













    Current version



    Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




    If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




    Historical versions



    You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



    Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



    To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



     if (running_setuid && privileged_mode == 0)
     disable_priv_mode ();


    Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



     case 'p':
     if (on_or_off == '+')
     
     setuid (current_user.uid);
     setgid (current_user.gid);
     current_user.euid = current_user.uid;
     current_user.egid = current_user.gid;





    share|improve this answer

























      up vote
      2
      down vote













      Current version



      Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




      If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




      Historical versions



      You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



      Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



      To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



       if (running_setuid && privileged_mode == 0)
       disable_priv_mode ();


      Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



       case 'p':
       if (on_or_off == '+')
       
       setuid (current_user.uid);
       setgid (current_user.gid);
       current_user.euid = current_user.uid;
       current_user.egid = current_user.gid;





      share|improve this answer























        up vote
        2
        down vote










        up vote
        2
        down vote









        Current version



        Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




        If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




        Historical versions



        You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



        Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



        To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



         if (running_setuid && privileged_mode == 0)
         disable_priv_mode ();


        Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



         case 'p':
         if (on_or_off == '+')
         
         setuid (current_user.uid);
         setgid (current_user.gid);
         current_user.euid = current_user.uid;
         current_user.egid = current_user.gid;





        share|improve this answer













        Current version



        Recent versions of bash will drop privileges, unless it was started with -p. From the section of bash(1) describing the privileged mode:




        If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, [...] the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.




        Historical versions



        You asked "From which version...?". The part of system() that you quote has been unchanged since the earliest revision available in the active git repository (version 1.70). That was checked in in 2004, and the comments indicate it was last modified in 2001.



        Bash version 3 was released in 2004. That means that bash 2 would have been the current/latest version at the time. So effectively, it's saying "...bash version 2 or higher/newer", ie. this has been the case since version 2.



        To confirm for yourself, you could try to build some intermediate versions and test them, or consult the bash git repository. The lines responsible are:



         if (running_setuid && privileged_mode == 0)
         disable_priv_mode ();


        Those have been there since version 2.0. Looking back to version 1.14.7, bash would only drop privileges when privileged mode was explicitly disabled with +p:



         case 'p':
         if (on_or_off == '+')
         
         setuid (current_user.uid);
         setgid (current_user.gid);
         current_user.euid = current_user.uid;
         current_user.egid = current_user.gid;






        share|improve this answer













        share|improve this answer



        share|improve this answer











        answered Jul 18 at 10:25









        JigglyNaga

        2,556623




        2,556623






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451048%2ffrom-which-version-does-bash-drop-privileges%23new-answer', 'question_page');

            );

            Post as a guest
































































            -

            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
            Read more

            Bahrain

            Image
            For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
            Read more

            Postfix configuration issue with fips on centos 7; mailgun relay

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
            Read more