Privileged mode in bash
From the bash info page:
`-p'
Turn on privileged mode. In this mode, the `$BASH_ENV' and `$ENV' files are not processed, shell functions are not inherited from the environment, and the `SHELLOPTS', `BASHOPTS', `CDPATH' and `GLOBIGNORE' variables, if they appear in the environment, are ignored. If the shell is started with the effective user (group) id not equal to the real user (group) id, and the `-p' option is not supplied, these actions are taken and the effective user id is set to the real user id. If the `-p' option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.
This says that the -p option lets bash keep the effective userid it is launched with, wheras without it, it will set the effective uid to the actual uid (your user). This will allow the setuid bit to be effective in allowing bash to retain the user it is setuid to. You will note that with the -p option, a host of files and variables are ignored and not inherited from the parent shell.
Related videos on Youtube
28 : 17
17 : 59
04 : 12
02 : 30
01 : 44
sebelk
Updated on September 18, 2022Comments
-
sebelk almost 2 years
I've used bash for years but I 've stuck with the"privileged mode" that it can be configure with the set command.
For example:
set -pI've read the bash man page but it's somewhat obscure.
For example let's considere the following script
#! /bin/bash -p ping 192.168.1.1the permission of this file is as follows:
-rwxr-xr-x. 1 root operador 80 mar 2 23:20 /scripts/privileged.sh
And then as a non-root user I run /scripts/privileged.sh
So I run:
ps -Cping -ocomm,egroup,euser,ruser,ruser,rgroup COMMAND EGROUP EUSER RUSER RUSER RGROUP ping operador operador operador operador operadorOK, you can change the mode, but anyway Linux drops privileges:
[root@server ~]# chmod 4755 /scripts/privileged.sh [root@server ~]# ls -l /scripts/privileged.sh -rwsr-xr-x. 1 root operador 79 mar 2 23:33 /scripts/privileged.shSo I run the script as non-root user, and then I get:
[root@server ~]# ps -Cping -ocomm,egroup,euser,ruser,ruser,rgroup COMMAND EGROUP EUSER RUSER RUSER RGROUP ping operador operador operador operador operadorSo I've found this option useless, please could you correct me, if I misunderstood anything?
-
sebelk over 10 yearsBut, I've made some tests and I didn't see any difference, running ps -o comm,euid,ruid -a. I don't understand if that apply to suid shell scripts, and where that option should be used to test the option: the user that runs the shell script? into the shell script header (#!/bin/bash -p), the bash binary with suid (which should be a disaster)... please could you enlightenment? Thanks!
-
vonbrand over 10 yearsIt is way too easy to break into a shell script, so I'd nuke this option for security reasons. Maybe it is (halfways) disabled for OP...
-
sebelk over 10 yearsSorry, thannks for your efforts for explain. I've read the manpages, as I said, I've made test, I see not any difference at all, I will edit my question...
-
sebelk over 10 yearsanyway in Linux I haven't noted any difference commiting the madness of chmoding even /bin/bash
-
rubo77 over 4 yearsso how do you turn it on and how turn it off? If you provide
#!/bin/bash -pat the start, is it then on or off? -
Rodrigo Murillo over 2 yearsI used this switch in a pentest exploit. where I use path insertion to run a local script I named 'tar', superceding the system 'tar'. The 'tar' command was invoked by an executable file with suid bit set to allow a non privileged user to run the process as root. My crafted 'tar' script only had on line '/bin/bash -p'. After executing it as s no privilege user, my shell gained root privilege. The -p allowed the process to retain the root UID after the process exited. I think this is what Hauke is referring to below.
