From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Le4KX-0005SL-7C for garchives@archives.gentoo.org; Mon, 02 Mar 2009 09:20:57 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 84370E0352; Mon, 2 Mar 2009 09:20:52 +0000 (UTC) Received: from zimbra-mta.cetrtapot.si (zimbra-mta.cetrtapot.si [89.212.80.172]) by pigeon.gentoo.org (Postfix) with ESMTP id 3990CE0352 for ; Mon, 2 Mar 2009 09:20:52 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra-mta.cetrtapot.si (Postfix) with ESMTP id 3FE1B19FA2D for ; Mon, 2 Mar 2009 10:20:51 +0100 (CET) X-Virus-Scanned: amavisd-new at zimbra-mta.cetrtapot.si Received: from zimbra-mta.cetrtapot.si ([127.0.0.1]) by localhost (zimbra-mta.cetrtapot.si [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8u+hH-ms1xvk for ; Mon, 2 Mar 2009 10:20:50 +0100 (CET) Received: from [172.31.65.135] (unknown [192.168.66.2]) by zimbra-mta.cetrtapot.si (Postfix) with ESMTP id AB81919FA22 for ; Mon, 2 Mar 2009 10:20:50 +0100 (CET) Message-ID: <49ABA44E.9000200@cetrtapot.si> Date: Mon, 02 Mar 2009 10:18:06 +0100 From: Hinko Kocevar User-Agent: Thunderbird 2.0.0.19 (X11/20081209) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: SUID References: <49AB9907.1040509@cetrtapot.si> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: a3995cd8-768b-4e62-8cf3-ebf96bd2575d X-Archives-Hash: 14c9fa8c811b88d2a225df3c98f2126a ABCD wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hinko Kocevar wrote: >> Hi, >> >> I'm trying to touch a file in /sbin during boot time >> and would like to do that with a normal user by running >> SUIDed shell script. >> I have following script: >> hinkok@alala /tmp $ cat test.sh=20 >> #!/bin/sh >> >> touch /sbin/foo.bar >> exit $? >> >> hinkok@alala /tmp $ sudo chmod +x test.sh=20 >> hinkok@alala /tmp $ sudo chown root:root test.sh=20 >> hinkok@alala /tmp $ sudo chmod +s test.sh=20 >> hinkok@alala /tmp $ ls -l test.sh=20 >> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh >> hinkok@alala /tmp $ sh -x test.sh=20 >> + touch /sbin/foo.bar >> touch: cannot touch `/sbin/foo.bar': Permission denied >> >> Can somebody help me with that? >> >> Thank you! >> >> Best regards, >> Hinko >=20 > Linux does not support s[ug]id scripts, however, you can emulate the Hmm, I was not aware of that.. > effect of it using sudo - in your shell script, do the following: >=20 > #!/bin/sh > [ $(id -u) -ne 0 ] && exec sudo "$0" "$@" >=20 > # put the rest of the script here >=20 > and add a line to /etc/sudoers that reads: >=20 > ALL ALL=3DNOPASSWD: /path/to/script >=20 > This will allow any user (the first "ALL") from any host (the second > "ALL") to run /path/to/script as root:root without any authentication, > by simply calling /path/to/script (or just "script", if it happens to b= e > in the $PATH). >=20 > NB - I havn't actually tried this recently, so I might be wrong on some > of the specifics, but the general idea should hold. >=20 > Also, if you want to restrict *who* can run the script, you can change > the first "ALL" to something else, see sudoers(5) for details - also yo= u > can restrict *where* it can be run by changing the second "ALL". >=20 > If you want to make the user enter *their own* password, remove the > "NOPASSWD:". If you want to make the user enter *root's* password, rea= d > the man page - I don't remember the option, but I know there is one. >=20 Thanks for detailed info! Best regards, Hinko --=20 Hinko Ko=C4=8Devar, OSS developer =C4=8CETRTA POT, d.o.o. Planina 3, 4000 Kranj, SI EU tel ++386 (0) 4 280 66 03 e-mail hinko.kocevar@cetrtapot.si http www.cetrtapot.si