* [gentoo-user] SUID @ 2009-03-02 8:29 Hinko Kocevar 2009-03-02 8:43 ` Tomáš Krasničan 2009-03-02 8:50 ` [gentoo-user] SUID ABCD 0 siblings, 2 replies; 4+ messages in thread From: Hinko Kocevar @ 2009-03-02 8:29 UTC (permalink / raw To: gentoo-user Hi, I'm trying to touch a file in /sbin during boot time and would like to do that with a normal user by running SUIDed shell script. I have following script: hinkok@alala /tmp $ cat test.sh #!/bin/sh touch /sbin/foo.bar exit $? hinkok@alala /tmp $ sudo chmod +x test.sh hinkok@alala /tmp $ sudo chown root:root test.sh hinkok@alala /tmp $ sudo chmod +s test.sh hinkok@alala /tmp $ ls -l test.sh -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh hinkok@alala /tmp $ sh -x test.sh + touch /sbin/foo.bar touch: cannot touch `/sbin/foo.bar': Permission denied Can somebody help me with that? Thank you! Best regards, Hinko -- Hinko Kočevar, OSS developer ČETRTA POT, d.o.o. Planina 3, 4000 Kranj, SI EU tel ++386 (0) 4 280 66 03 e-mail hinko.kocevar@cetrtapot.si http www.cetrtapot.si ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] SUID 2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar @ 2009-03-02 8:43 ` Tomáš Krasničan 2009-03-02 8:50 ` [gentoo-user] SUID ABCD 1 sibling, 0 replies; 4+ messages in thread From: Tomáš Krasničan @ 2009-03-02 8:43 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 759 bytes --] Hi, #! scripts can not run as suid. Regards, krasko Hinko Kocevar wrote: > Hi, > > I'm trying to touch a file in /sbin during boot time > and would like to do that with a normal user by running > SUIDed shell script. > I have following script: > hinkok@alala /tmp $ cat test.sh > #!/bin/sh > > touch /sbin/foo.bar > exit $? > > hinkok@alala /tmp $ sudo chmod +x test.sh > hinkok@alala /tmp $ sudo chown root:root test.sh > hinkok@alala /tmp $ sudo chmod +s test.sh > hinkok@alala /tmp $ ls -l test.sh > -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh > hinkok@alala /tmp $ sh -x test.sh > + touch /sbin/foo.bar > touch: cannot touch `/sbin/foo.bar': Permission denied > > Can somebody help me with that? > > Thank you! > > Best regards, > Hinko [-- Attachment #2: krasko.vcf --] [-- Type: text/x-vcard, Size: 232 bytes --] begin:vcard fn;quoted-printable:Tom=C3=A1=C5=A1 Krasni=C4=8Dan n;quoted-printable;quoted-printable:Krasni=C4=8Dan;Tom=C3=A1=C5=A1 email;internet:krasko@krasko.sk tel;cell:+420 605 520 368 x-mozilla-html:FALSE version:2.1 end:vcard ^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-user] Re: SUID 2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar 2009-03-02 8:43 ` Tomáš Krasničan @ 2009-03-02 8:50 ` ABCD 2009-03-02 9:18 ` Hinko Kocevar 1 sibling, 1 reply; 4+ messages in thread From: ABCD @ 2009-03-02 8:50 UTC (permalink / raw To: gentoo-user -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hinko Kocevar wrote: > Hi, > > I'm trying to touch a file in /sbin during boot time > and would like to do that with a normal user by running > SUIDed shell script. > I have following script: > hinkok@alala /tmp $ cat test.sh > #!/bin/sh > > touch /sbin/foo.bar > exit $? > > hinkok@alala /tmp $ sudo chmod +x test.sh > hinkok@alala /tmp $ sudo chown root:root test.sh > hinkok@alala /tmp $ sudo chmod +s test.sh > hinkok@alala /tmp $ ls -l test.sh > -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh > hinkok@alala /tmp $ sh -x test.sh > + touch /sbin/foo.bar > touch: cannot touch `/sbin/foo.bar': Permission denied > > Can somebody help me with that? > > Thank you! > > Best regards, > Hinko Linux does not support s[ug]id scripts, however, you can emulate the effect of it using sudo - in your shell script, do the following: #!/bin/sh [ $(id -u) -ne 0 ] && exec sudo "$0" "$@" # put the rest of the script here and add a line to /etc/sudoers that reads: ALL ALL=NOPASSWD: /path/to/script This will allow any user (the first "ALL") from any host (the second "ALL") to run /path/to/script as root:root without any authentication, by simply calling /path/to/script (or just "script", if it happens to be in the $PATH). NB - I havn't actually tried this recently, so I might be wrong on some of the specifics, but the general idea should hold. Also, if you want to restrict *who* can run the script, you can change the first "ALL" to something else, see sudoers(5) for details - also you can restrict *where* it can be run by changing the second "ALL". If you want to make the user enter *their own* password, remove the "NOPASSWD:". If you want to make the user enter *root's* password, read the man page - I don't remember the option, but I know there is one. - -- ABCD -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB =NE1x -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Re: SUID 2009-03-02 8:50 ` [gentoo-user] SUID ABCD @ 2009-03-02 9:18 ` Hinko Kocevar 0 siblings, 0 replies; 4+ messages in thread From: Hinko Kocevar @ 2009-03-02 9:18 UTC (permalink / raw To: gentoo-user ABCD wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hinko Kocevar wrote: >> Hi, >> >> I'm trying to touch a file in /sbin during boot time >> and would like to do that with a normal user by running >> SUIDed shell script. >> I have following script: >> hinkok@alala /tmp $ cat test.sh >> #!/bin/sh >> >> touch /sbin/foo.bar >> exit $? >> >> hinkok@alala /tmp $ sudo chmod +x test.sh >> hinkok@alala /tmp $ sudo chown root:root test.sh >> hinkok@alala /tmp $ sudo chmod +s test.sh >> hinkok@alala /tmp $ ls -l test.sh >> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh >> hinkok@alala /tmp $ sh -x test.sh >> + touch /sbin/foo.bar >> touch: cannot touch `/sbin/foo.bar': Permission denied >> >> Can somebody help me with that? >> >> Thank you! >> >> Best regards, >> Hinko > > Linux does not support s[ug]id scripts, however, you can emulate the Hmm, I was not aware of that.. > effect of it using sudo - in your shell script, do the following: > > #!/bin/sh > [ $(id -u) -ne 0 ] && exec sudo "$0" "$@" > > # put the rest of the script here > > and add a line to /etc/sudoers that reads: > > ALL ALL=NOPASSWD: /path/to/script > > This will allow any user (the first "ALL") from any host (the second > "ALL") to run /path/to/script as root:root without any authentication, > by simply calling /path/to/script (or just "script", if it happens to be > in the $PATH). > > NB - I havn't actually tried this recently, so I might be wrong on some > of the specifics, but the general idea should hold. > > Also, if you want to restrict *who* can run the script, you can change > the first "ALL" to something else, see sudoers(5) for details - also you > can restrict *where* it can be run by changing the second "ALL". > > If you want to make the user enter *their own* password, remove the > "NOPASSWD:". If you want to make the user enter *root's* password, read > the man page - I don't remember the option, but I know there is one. > Thanks for detailed info! Best regards, Hinko -- Hinko Kočevar, OSS developer ČETRTA POT, d.o.o. Planina 3, 4000 Kranj, SI EU tel ++386 (0) 4 280 66 03 e-mail hinko.kocevar@cetrtapot.si http www.cetrtapot.si ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-03-02 9:20 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-03-02 8:29 [gentoo-user] SUID Hinko Kocevar 2009-03-02 8:43 ` Tomáš Krasničan 2009-03-02 8:50 ` [gentoo-user] SUID ABCD 2009-03-02 9:18 ` Hinko Kocevar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox