Skip to content

Instantly share code, notes, and snippets.

@MKo-xx
Created March 31, 2011 15:42
Show Gist options
  • Save MKo-xx/896596 to your computer and use it in GitHub Desktop.
Save MKo-xx/896596 to your computer and use it in GitHub Desktop.
$ echo -e "#"\!"/bin/dash\nwhoami" | sudo tee a.sh # create a script
#!/bin/dash
whoami
$ sudo chmod +x a.sh # add executable flag
$ ll # see root is the owner
...
-rwxr-xr-x 1 root root 19 2011-03-31 20:32 a.sh*
$
$ ./a.sh # it will print my username
<my user name>
$ sudo chmod +s a.sh # set on setuid
$ ./a.sh # surprisingly it prints my username again.
<my user name>
$ # the cause of above behavior is that,
$ # the a.sh isn't executable actually,
$ # the /bin/dash with a.sh argument is called,
$ # so we need to add +s to /bin/dash
$ sudo chmod +s /bin/dash # set on setuid
$ ./a.sh # now it gives root
root
$
$ sudo rm -rf * # remove all
$ echo -e "#"\!"/bin/dash\nwhoami" > a.sh # create a script
$ chmod +x ./a.sh # add executable flag
$ ll # now I am the owner
-rwxr-xr-x 1 <user name> <group name> 19 2011-03-31 20:30 a.sh
$
$ ./a.sh # it gives root again, because of setuid of /bin/dash
root
$
$ # At last, don't forget to bring back the attributes of dash
$ sudo chmod -s /bin/dash
$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment