* [gentoo-user] SUID
@ 2009-03-02 8:29 Hinko Kocevar
2009-03-02 8:43 ` Tomáš Krasničan
2009-03-02 8:50 ` [gentoo-user] SUID ABCD
0 siblings, 2 replies; 4+ messages in thread
From: Hinko Kocevar @ 2009-03-02 8:29 UTC (permalink / raw
To: gentoo-user
Hi,
I'm trying to touch a file in /sbin during boot time
and would like to do that with a normal user by running
SUIDed shell script.
I have following script:
hinkok@alala /tmp $ cat test.sh
#!/bin/sh
touch /sbin/foo.bar
exit $?
hinkok@alala /tmp $ sudo chmod +x test.sh
hinkok@alala /tmp $ sudo chown root:root test.sh
hinkok@alala /tmp $ sudo chmod +s test.sh
hinkok@alala /tmp $ ls -l test.sh
-rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
hinkok@alala /tmp $ sh -x test.sh
+ touch /sbin/foo.bar
touch: cannot touch `/sbin/foo.bar': Permission denied
Can somebody help me with that?
Thank you!
Best regards,
Hinko
--
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel ++386 (0) 4 280 66 03
e-mail hinko.kocevar@cetrtapot.si
http www.cetrtapot.si
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] SUID
2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar
@ 2009-03-02 8:43 ` Tomáš Krasničan
2009-03-02 8:50 ` [gentoo-user] SUID ABCD
1 sibling, 0 replies; 4+ messages in thread
From: Tomáš Krasničan @ 2009-03-02 8:43 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 759 bytes --]
Hi,
#! scripts can not run as suid.
Regards,
krasko
Hinko Kocevar wrote:
> Hi,
>
> I'm trying to touch a file in /sbin during boot time
> and would like to do that with a normal user by running
> SUIDed shell script.
> I have following script:
> hinkok@alala /tmp $ cat test.sh
> #!/bin/sh
>
> touch /sbin/foo.bar
> exit $?
>
> hinkok@alala /tmp $ sudo chmod +x test.sh
> hinkok@alala /tmp $ sudo chown root:root test.sh
> hinkok@alala /tmp $ sudo chmod +s test.sh
> hinkok@alala /tmp $ ls -l test.sh
> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
> hinkok@alala /tmp $ sh -x test.sh
> + touch /sbin/foo.bar
> touch: cannot touch `/sbin/foo.bar': Permission denied
>
> Can somebody help me with that?
>
> Thank you!
>
> Best regards,
> Hinko
[-- Attachment #2: krasko.vcf --]
[-- Type: text/x-vcard, Size: 232 bytes --]
begin:vcard
fn;quoted-printable:Tom=C3=A1=C5=A1 Krasni=C4=8Dan
n;quoted-printable;quoted-printable:Krasni=C4=8Dan;Tom=C3=A1=C5=A1
email;internet:krasko@krasko.sk
tel;cell:+420 605 520 368
x-mozilla-html:FALSE
version:2.1
end:vcard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-user] Re: SUID
2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar
2009-03-02 8:43 ` Tomáš Krasničan
@ 2009-03-02 8:50 ` ABCD
2009-03-02 9:18 ` Hinko Kocevar
1 sibling, 1 reply; 4+ messages in thread
From: ABCD @ 2009-03-02 8:50 UTC (permalink / raw
To: gentoo-user
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hinko Kocevar wrote:
> Hi,
>
> I'm trying to touch a file in /sbin during boot time
> and would like to do that with a normal user by running
> SUIDed shell script.
> I have following script:
> hinkok@alala /tmp $ cat test.sh
> #!/bin/sh
>
> touch /sbin/foo.bar
> exit $?
>
> hinkok@alala /tmp $ sudo chmod +x test.sh
> hinkok@alala /tmp $ sudo chown root:root test.sh
> hinkok@alala /tmp $ sudo chmod +s test.sh
> hinkok@alala /tmp $ ls -l test.sh
> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
> hinkok@alala /tmp $ sh -x test.sh
> + touch /sbin/foo.bar
> touch: cannot touch `/sbin/foo.bar': Permission denied
>
> Can somebody help me with that?
>
> Thank you!
>
> Best regards,
> Hinko
Linux does not support s[ug]id scripts, however, you can emulate the
effect of it using sudo - in your shell script, do the following:
#!/bin/sh
[ $(id -u) -ne 0 ] && exec sudo "$0" "$@"
# put the rest of the script here
and add a line to /etc/sudoers that reads:
ALL ALL=NOPASSWD: /path/to/script
This will allow any user (the first "ALL") from any host (the second
"ALL") to run /path/to/script as root:root without any authentication,
by simply calling /path/to/script (or just "script", if it happens to be
in the $PATH).
NB - I havn't actually tried this recently, so I might be wrong on some
of the specifics, but the general idea should hold.
Also, if you want to restrict *who* can run the script, you can change
the first "ALL" to something else, see sudoers(5) for details - also you
can restrict *where* it can be run by changing the second "ALL".
If you want to make the user enter *their own* password, remove the
"NOPASSWD:". If you want to make the user enter *root's* password, read
the man page - I don't remember the option, but I know there is one.
- --
ABCD
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF
DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB
=NE1x
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Re: SUID
2009-03-02 8:50 ` [gentoo-user] SUID ABCD
@ 2009-03-02 9:18 ` Hinko Kocevar
0 siblings, 0 replies; 4+ messages in thread
From: Hinko Kocevar @ 2009-03-02 9:18 UTC (permalink / raw
To: gentoo-user
ABCD wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hinko Kocevar wrote:
>> Hi,
>>
>> I'm trying to touch a file in /sbin during boot time
>> and would like to do that with a normal user by running
>> SUIDed shell script.
>> I have following script:
>> hinkok@alala /tmp $ cat test.sh
>> #!/bin/sh
>>
>> touch /sbin/foo.bar
>> exit $?
>>
>> hinkok@alala /tmp $ sudo chmod +x test.sh
>> hinkok@alala /tmp $ sudo chown root:root test.sh
>> hinkok@alala /tmp $ sudo chmod +s test.sh
>> hinkok@alala /tmp $ ls -l test.sh
>> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
>> hinkok@alala /tmp $ sh -x test.sh
>> + touch /sbin/foo.bar
>> touch: cannot touch `/sbin/foo.bar': Permission denied
>>
>> Can somebody help me with that?
>>
>> Thank you!
>>
>> Best regards,
>> Hinko
>
> Linux does not support s[ug]id scripts, however, you can emulate the
Hmm, I was not aware of that..
> effect of it using sudo - in your shell script, do the following:
>
> #!/bin/sh
> [ $(id -u) -ne 0 ] && exec sudo "$0" "$@"
>
> # put the rest of the script here
>
> and add a line to /etc/sudoers that reads:
>
> ALL ALL=NOPASSWD: /path/to/script
>
> This will allow any user (the first "ALL") from any host (the second
> "ALL") to run /path/to/script as root:root without any authentication,
> by simply calling /path/to/script (or just "script", if it happens to be
> in the $PATH).
>
> NB - I havn't actually tried this recently, so I might be wrong on some
> of the specifics, but the general idea should hold.
>
> Also, if you want to restrict *who* can run the script, you can change
> the first "ALL" to something else, see sudoers(5) for details - also you
> can restrict *where* it can be run by changing the second "ALL".
>
> If you want to make the user enter *their own* password, remove the
> "NOPASSWD:". If you want to make the user enter *root's* password, read
> the man page - I don't remember the option, but I know there is one.
>
Thanks for detailed info!
Best regards,
Hinko
--
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel ++386 (0) 4 280 66 03
e-mail hinko.kocevar@cetrtapot.si
http www.cetrtapot.si
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-03-02 9:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar
2009-03-02 8:43 ` Tomáš Krasničan
2009-03-02 8:50 ` [gentoo-user] SUID ABCD
2009-03-02 9:18 ` Hinko Kocevar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox