[Previous entry: "Spokane's latest craze: cat mutilation"] [Next entry: "Ellch and Maynor: the continuing debate"]

08/21/2006: "Yet another thing about the Maynor/Ellch affair"

David Shaw wrote in to ask a question:

One of the things that has bothered me since I first saw the video, and again when I got a chance to see the high resolution version you provided. Why does Maynor end up in a user directory after the code executes? If he has root access wouldn't he be presented with the "root" of the system? And when he "cd"s to "Desktop", he isn't using "/Users/dave/Desktop", he just types "Desktop".

David points out another "flaw" in the Maynor/Ellch magic show.

Yes, unless Maynor and Ellch took special care to set the directory of the process (which is what the 'chdir()' system call does), they would end up in /, because this is the equivalent of "" (null) to the kernel as far as "what directory is this process in?".

Normally the 'login' process does the 'chdir($HOME)' before it execs the users shell (Maynor's is bash.)

They could do this with remote exploit code, of course. (They could even run as a non-zero UID.) However, I don't know of any "remote exploit" code that does this, since its simple to drop the privs from a root shell, and ... getting root was the point, no?

The point here is, the "remote shell" is (or at least appears to be) running as a user named "david", in David's home directory.