From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Le3rj-0001eQ-HU for garchives@archives.gentoo.org; Mon, 02 Mar 2009 08:51:11 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 858BFE01E8; Mon, 2 Mar 2009 08:51:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 3ED2EE01F0 for ; Mon, 2 Mar 2009 08:51:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id E1DAB6444C for ; Mon, 2 Mar 2009 08:51:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -3.586 X-Spam-Level: X-Spam-Status: No, score=-3.586 required=5.5 tests=[AWL=0.013, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYpgeohlUWzt for ; Mon, 2 Mar 2009 08:51:03 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 3EE6764C10 for ; Mon, 2 Mar 2009 08:51:01 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1Le3rR-0005oK-0D for gentoo-user@gentoo.org; Mon, 02 Mar 2009 08:50:54 +0000 Received: from pool-173-71-204-106.clppva.fios.verizon.net ([173.71.204.106]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 02 Mar 2009 08:50:52 +0000 Received: from en.ABCD by pool-173-71-204-106.clppva.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 02 Mar 2009 08:50:52 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: ABCD Subject: [gentoo-user] Re: SUID Date: Mon, 02 Mar 2009 03:50:42 -0500 Message-ID: References: <49AB9907.1040509@cetrtapot.si> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-71-204-106.clppva.fios.verizon.net User-Agent: Thunderbird 2.0.0.19 (X11/20090106) In-Reply-To: <49AB9907.1040509@cetrtapot.si> X-Enigmail-Version: 0.95.7 Sender: news X-Archives-Salt: 11df844d-287f-491a-b819-4b600733f204 X-Archives-Hash: 11907f4826987fa298089da762ba6600 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hinko Kocevar wrote: > Hi, > > I'm trying to touch a file in /sbin during boot time > and would like to do that with a normal user by running > SUIDed shell script. > I have following script: > hinkok@alala /tmp $ cat test.sh > #!/bin/sh > > touch /sbin/foo.bar > exit $? > > hinkok@alala /tmp $ sudo chmod +x test.sh > hinkok@alala /tmp $ sudo chown root:root test.sh > hinkok@alala /tmp $ sudo chmod +s test.sh > hinkok@alala /tmp $ ls -l test.sh > -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh > hinkok@alala /tmp $ sh -x test.sh > + touch /sbin/foo.bar > touch: cannot touch `/sbin/foo.bar': Permission denied > > Can somebody help me with that? > > Thank you! > > Best regards, > Hinko Linux does not support s[ug]id scripts, however, you can emulate the effect of it using sudo - in your shell script, do the following: #!/bin/sh [ $(id -u) -ne 0 ] && exec sudo "$0" "$@" # put the rest of the script here and add a line to /etc/sudoers that reads: ALL ALL=NOPASSWD: /path/to/script This will allow any user (the first "ALL") from any host (the second "ALL") to run /path/to/script as root:root without any authentication, by simply calling /path/to/script (or just "script", if it happens to be in the $PATH). NB - I havn't actually tried this recently, so I might be wrong on some of the specifics, but the general idea should hold. Also, if you want to restrict *who* can run the script, you can change the first "ALL" to something else, see sudoers(5) for details - also you can restrict *where* it can be run by changing the second "ALL". If you want to make the user enter *their own* password, remove the "NOPASSWD:". If you want to make the user enter *root's* password, read the man page - I don't remember the option, but I know there is one. - -- ABCD -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB =NE1x -----END PGP SIGNATURE-----