Bugtraq mailing list archives

Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files

From: Han Boetes <hanOUTOFOFFICETRAP () mijncomputer nl>
Date: Tue, 1 Mar 2005 05:04:26 +0100

John Simpson wrote:

this only works if the user un-zipping the file is already root.
otherwise it creates an "sh" binary which is setuid to the user
who unzipped the file. this kind of "exploit" is only useful if
you can somehow trick root into unzipping the file- it cannot be
used to gain root on a machine where you don't already have it.


If your homedir is worldreadable, which is pretty common practice
the other user can run the shell and get your useraccount.

although i will agree that having the unzip program warn the
user when creating a setuid or setgid file is a good idea in
general.


Lets take a look at how tar does it: it uses the p flag.

 -p   Preserve user and group ID as well as file mode regardless
      of the current umask(2).  The setuid and setgid bits are
      only preserved if the user is the superuser.  Only meaning-
      ful in conjunction with the -x flag.



# Han

Current thread:

7a69Adv#22 - UNIX unzip keep setuid and setgid files Albert Puigsech Galicia (Feb 28)
- Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files John Simpson (Feb 28)
  - Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files Han Boetes (Mar 01)
    - Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files devnull (Mar 01)
    - Re: 7a69Adv#22 - UNIX unzip keep setuid and setgid files exon (Mar 01)