I have a simple bash script 'bash.sh'bash.sh that starts another bash instance using pkexecpkexec.
#!/bin/bash
bash -c 'pkexec bash'
When executed this shows a prompt for the user to enter their password. The main script 'bash.sh'bash.sh runs as normal user but the bash instance started by it runs as root with elevated privileges.
When I open a terminal window and try to write some command to the standard input of the elevated bash process it throws a permission error (as expected) .
echo 'echo hello' > /proc/<child-bash-pid>/fd/0
The problem is that when I write to the parent process ('bash.sh'bash.sh) it gets passed to the child bash process which then executes the command.
echo 'echo hello' > /proc/<parent-bash.sh-pid>/fd/0
I'm not able to understand how this is possible? Since the parent is running as a normal user why am I (a normal user) allowed to pass commands to the child process which is running with higher privileges?
I understand the fact that the standard input of the child process is connected to the standard input of the parent script, but if this is allowed then any ordinary process can execute root commands by writing to the parent process of a rooted bash process.
This does not seem logical. What am I missing?
Note: I verified that the child is executing the command passed to the parent by deleting a file in /usr/share/usr/share which only root would have permission to do.
sudo touch /usr/share/testfile
echo 'rm -f /usr/share/testfile' > /proc/<parent-bash.sh-pid>/fd/0
The file was deleted successfully.
