Well, well, wasn't that discussion on setuid root interesting! For you, the reader, who's thinking like a hacker (good for you!), why not do this to gain the ultimate prize, a root shell!
- Write a C program to spawn a shell (the system(3) library API makes this trivial); we call the code rootsh_hack1.c. We want a root shell as the outcome!
- Compile it, get a.out. If we run a.out now, no big deal; we'll get a shell with the same privileges that we already have. So instead try this:
- Change permissions with chmod(1) to set the setuid bit.
- Change ownership with chown(1) of a.out to root.
- Run it: we should now get a root shell.
Wow! Let's try this out!
The code is simple (we don't show the header inclusion here):
$ cat rootsh_hack1.c ...