Overview
If a script runs as root and imports a Python module, you can hijack that import by placing a malicious module earlier in the search path.Python Module Search Order
Find Target Scripts
Scripts Running as Root
Check Imports
Same Directory Hijack
If root script at/opt/script.py imports utils:
/opt/ is writable:
/tmp/rootbash -p.
Writable Library Path
Check if any directory in Python path is writable:PYTHONPATH Injection
If sudo preserves PYTHONPATH:Writable .py File (Direct Edit)
If the imported module itself is writable:.pth File Injection
.pth files in site-packages directories add paths to sys.path. Lines starting with import are executed.
Check if writable:
pip Install Hijack
If user can runpip install as root or root runs pip automatically:
Malicious setup.py
Quick Reference
| Scenario | Technique |
|---|---|
| Script directory writable | Drop module in same dir |
| Python lib path writable | Drop module in lib path |
| PYTHONPATH preserved in sudo | Set PYTHONPATH to hijack dir |
| .pth file writable | Inject import os; os.system(...) |
| pip as root | Malicious setup.py |