# suid bit on executable wont spawn a shell

## tarnai_t

Hi,

I've trying to understand the concept of buffer overflows and I tried to understand how the shellcode is executed. To start simple I've created the following program

```

// shell.c

int main(){

  char *name[2];

  name[0] = "/bin/sh";

  name[1] = 0x0;

  execve(name[0], name, 0x0);

  exit(0);

}

```

now when i compile this code and 

```

# chown root:root shell

# chmod 4755 shell

```

I would expect when I run this as a regular user I get a root shell. What happens is that a shell with my user is spawned. On the other hand when I compile this code

```

//suidshell.c

#include <sys/types.h>

#include <unistd.h>

#include <stdio.h>

int main(void) {

    printf(

        "Real      UID = %d\n"

        "Effective UID = %d\n"

        "Real      GID = %d\n"

        "Effective GID = %d\n",

        getuid (),

        geteuid(),

        getgid (),

        getegid()

    );

    return 0;

}

```

compile it, and set the owner and permissions as in the example above i get as output

```

Real UID = 1001

Effective UID = 0

Real GID = 100

Effective GID = 100

```

so it looks like there is some mechanism (in the kernel?) which prevents a suid program from executing a root shell. Is there any way to "switch" this off? I've learned for example that ASLR can be switched off with

```

#  sysctl -w kernel.randomize_va_space=0

```

thanks for the answers,

and kind regards

----------

## redagadir

the problem you have for the moment isn't related to memory protection.

could you provide a ls -l of the setuid binary?

as for your tests, you may need to disable (if installed) intel TXT/XD (bios level normally), selinux, apparmor, pax like implementations, grsecurity...Last edited by redagadir on Wed Dec 21, 2011 9:07 am; edited 1 time in total

----------

## tarnai_t

 *redagadir wrote:*   

> the problem you have for the moment isn't related to memory protection.
> 
> could you provide a ls -l of the setuid binary?
> 
> as for your tests, you may need to disable (if installed) intel TXT/XD (bios level normally), selinux, apparmor, pax like implementations, grsecurity...

 

Hi and thx for your answer!

the permissions are set like this

```
-rwsr-sr-x  1 root   root  8.0K Aug 11 17:08 shell
```

the OS is running in vmware. There is no selinux installation or something similar.

Cheers

----------

## mv

I already made such an experience: Just copying the original shell and changing owner/group and SUID doesn't give you root shell. I suspect that the shell itself does some sanity checks in the beginning to prevent such obvious security mistakes.

Edit: Just tested: It seems, bash makes such sanity checks. dash does not.

----------

