bashsecuritysubshellprivilege-elevationprivilege-escalation

Run a subshell as root


Consider you have a Linux/UNIX machine with Bash. You have a file secret.txt that only root can read. You want to use a command that takes a string as an argument, say,

sample-command <string>

Log in as a root user and run the command using the first line of the text file:

root ~ $ sample-command $(sed '1!d' secret.txt)

Can this be done by non-root, sudoer users?

Note. sudo sh -c "<command>" doesn't help since subshells don't carry over the root/sudo privilege. For example,

sarah ~ $ sudo sh -c "echo $(whoami)"

gives you sarah, not root.


Solution

  • Expansions like command substitution will be processed by the shell before executing the actual command line:

    sudo sh -c "echo $(whoami)"
    foouser
    

    Here the shell will first run whoami, as the current user, replace the expansion by it's result and then execute

    sudo sh -c "echo foouser"
    

    Expansions doesn't happen within single quotes:

    sudo sh -c 'echo "$(whoami)"'
    root
    

    In this example $(whoami) won't get processed by calling shell because it appears within single quotes. $(whoami) will therefore get expanded by subshell before calling echo.