From: ABCD <en.ABCD@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: SUID
Date: Mon, 02 Mar 2009 03:50:42 -0500 [thread overview]
Message-ID: <gog6l3$mpf$1@ger.gmane.org> (raw)
In-Reply-To: <49AB9907.1040509@cetrtapot.si>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hinko Kocevar wrote:
> Hi,
>
> I'm trying to touch a file in /sbin during boot time
> and would like to do that with a normal user by running
> SUIDed shell script.
> I have following script:
> hinkok@alala /tmp $ cat test.sh
> #!/bin/sh
>
> touch /sbin/foo.bar
> exit $?
>
> hinkok@alala /tmp $ sudo chmod +x test.sh
> hinkok@alala /tmp $ sudo chown root:root test.sh
> hinkok@alala /tmp $ sudo chmod +s test.sh
> hinkok@alala /tmp $ ls -l test.sh
> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
> hinkok@alala /tmp $ sh -x test.sh
> + touch /sbin/foo.bar
> touch: cannot touch `/sbin/foo.bar': Permission denied
>
> Can somebody help me with that?
>
> Thank you!
>
> Best regards,
> Hinko
Linux does not support s[ug]id scripts, however, you can emulate the
effect of it using sudo - in your shell script, do the following:
#!/bin/sh
[ $(id -u) -ne 0 ] && exec sudo "$0" "$@"
# put the rest of the script here
and add a line to /etc/sudoers that reads:
ALL ALL=NOPASSWD: /path/to/script
This will allow any user (the first "ALL") from any host (the second
"ALL") to run /path/to/script as root:root without any authentication,
by simply calling /path/to/script (or just "script", if it happens to be
in the $PATH).
NB - I havn't actually tried this recently, so I might be wrong on some
of the specifics, but the general idea should hold.
Also, if you want to restrict *who* can run the script, you can change
the first "ALL" to something else, see sudoers(5) for details - also you
can restrict *where* it can be run by changing the second "ALL".
If you want to make the user enter *their own* password, remove the
"NOPASSWD:". If you want to make the user enter *root's* password, read
the man page - I don't remember the option, but I know there is one.
- --
ABCD
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF
DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB
=NE1x
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2009-03-02 8:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar
2009-03-02 8:43 ` Tomáš Krasničan
2009-03-02 8:50 ` ABCD [this message]
2009-03-02 9:18 ` [gentoo-user] SUID Hinko Kocevar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='gog6l3$mpf$1@ger.gmane.org' \
--to=en.abcd@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox