[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: suid scripts
Setuid and Setgid don't do anything for scripts since the script isn't
actually the thing that is being executed. What is being executed is the
shell that then reads the script file, so if you wanted to do that you'd
have to make the shell a setuid shell and place the path to it as the first
line of the script as #!/path/to/shell. Note that while you could do that,
it'd be completely insecure...then anyone could run that same shell with
any script they want to and all their scripts could be suid...which
basically gives everyone root access...which i guess is not good... so in
short, to do suid stuff you need to write an actual compiled program such
as in C or C++ or you have to use a wrapper written in C or C++ that runs
setuid to root and then checks some parameters to change the id to what you
want before invoking a shell to execute a script with its id (which is what
apache does to run user scripts, if you have it configured that way). Hope
that helps,
Thanks,
Thomas.
At 03:41 PM 11/4/00, Francis A. Holop wrote:
>hello list,
>
>i am quite nervous posting after all this "joe blow" incident...
>on the other hand, i don't think that that volunteer firefighter
>would travel 20h just to smack my head.
>my really strange question:
>
>kripel> cat suid
>id
>kripel> sudo chmod +s ./suid
>kripel> ls -la ./suid
>-rwsr-sr-x 1 root wheel 21 Nov 4 23:17 ./suid
>kripel> ./suid
>uid=1001(fred) gid=10(users) groups=10(users), 0(wheel)
>
>or for the more "joe blow" types, the suid bit doesn't seem
>to be working for me. the "/" is _not_ mounted as "nosuid".
>as you can see i am a "wheel" member.
>obviously i am missing something stupid. make me blush please...
>
>-f
>
>ps. joe blow, please don't get angry, you are the sacrifice on the
> altar of learning for the generations next to come. forever amen.
- References:
- suid scripts
- From: "Francis A. Holop" <fred@kripel.unitra.sk>