From: Hinko Kocevar <hinko.kocevar@cetrtapot.si>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: SUID
Date: Mon, 02 Mar 2009 10:18:06 +0100 [thread overview]
Message-ID: <49ABA44E.9000200@cetrtapot.si> (raw)
In-Reply-To: <gog6l3$mpf$1@ger.gmane.org>
ABCD wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hinko Kocevar wrote:
>> Hi,
>>
>> I'm trying to touch a file in /sbin during boot time
>> and would like to do that with a normal user by running
>> SUIDed shell script.
>> I have following script:
>> hinkok@alala /tmp $ cat test.sh
>> #!/bin/sh
>>
>> touch /sbin/foo.bar
>> exit $?
>>
>> hinkok@alala /tmp $ sudo chmod +x test.sh
>> hinkok@alala /tmp $ sudo chown root:root test.sh
>> hinkok@alala /tmp $ sudo chmod +s test.sh
>> hinkok@alala /tmp $ ls -l test.sh
>> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
>> hinkok@alala /tmp $ sh -x test.sh
>> + touch /sbin/foo.bar
>> touch: cannot touch `/sbin/foo.bar': Permission denied
>>
>> Can somebody help me with that?
>>
>> Thank you!
>>
>> Best regards,
>> Hinko
>
> Linux does not support s[ug]id scripts, however, you can emulate the
Hmm, I was not aware of that..
> effect of it using sudo - in your shell script, do the following:
>
> #!/bin/sh
> [ $(id -u) -ne 0 ] && exec sudo "$0" "$@"
>
> # put the rest of the script here
>
> and add a line to /etc/sudoers that reads:
>
> ALL ALL=NOPASSWD: /path/to/script
>
> This will allow any user (the first "ALL") from any host (the second
> "ALL") to run /path/to/script as root:root without any authentication,
> by simply calling /path/to/script (or just "script", if it happens to be
> in the $PATH).
>
> NB - I havn't actually tried this recently, so I might be wrong on some
> of the specifics, but the general idea should hold.
>
> Also, if you want to restrict *who* can run the script, you can change
> the first "ALL" to something else, see sudoers(5) for details - also you
> can restrict *where* it can be run by changing the second "ALL".
>
> If you want to make the user enter *their own* password, remove the
> "NOPASSWD:". If you want to make the user enter *root's* password, read
> the man page - I don't remember the option, but I know there is one.
>
Thanks for detailed info!
Best regards,
Hinko
--
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel ++386 (0) 4 280 66 03
e-mail hinko.kocevar@cetrtapot.si
http www.cetrtapot.si
prev parent reply other threads:[~2009-03-02 9:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar
2009-03-02 8:43 ` Tomáš Krasničan
2009-03-02 8:50 ` [gentoo-user] SUID ABCD
2009-03-02 9:18 ` Hinko Kocevar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49ABA44E.9000200@cetrtapot.si \
--to=hinko.kocevar@cetrtapot.si \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox