On Feb 20, 2005, at 4:08 PM, horst wrote:
I am confused: 1) you talk about processes and setuid (and limitations(?) for scripts)
Yes, while researching the problem ( and the solution I was planning on using ) I read several sites on line that stated that Shell Scripts that have the setuid bit are often ignored as setuid by linux. Some Unixes will allow them, but apparently most linux installs will ignore setuid on a shell script for security purposes. The redhat system I am working on this problem on indeed does ignore setuid bits on shell scripts. I believe the security concern comes from the fact the a shell script executes a shell, so if the script is setuid to root, you have a shell running as root during the scripts execution. If at anytime during the execution the user was able to gain direct access to the shell, they would essentially have root access to the machine.
2) you talk about the filesystem and chown and chmod.
You should be able to chmod using scripts and/or cron jobs if you are the owner of the files or root.
You need to be root for arbitrary chown, but root can do this per script or cron jobs.
Right, but the script won't execute with high enough privileges to function correctly (setuid issue), and I want the script/executable to be triggered by a CVS commit, not a time interval (ie. not cron).
Most 'nix dialects understand: chown -R user:group /path/and/so/on ((i.e. do both in one step))
Yeah, I'll use this.
Q: Does your CVS really require: "chmod -R o+w /var/cvs/repository " that is having files world writable?
Probably not. When we encounter the problem now, someone has to log into the system and execute a few commands by hand. Often we end up executing blanket statements that might be overkill in an attempt to address the problem thoroughly and quickly. This may not be the best of practice for security reasons, but I bet its very common in a lot of companies.
- Horst
In reply to:
Date: Fri, 18 Feb 2005 14:24:39 -0800 From: Jim Beard <[EMAIL PROTECTED]> Reply-To: Eugene Unix and Gnu/Linux User Group <[email protected]> To: Eugene Unix and Gnu/Linux User Group <[email protected]> Subject: [Eug-lug] setuid programs Howdy Folks,
So we have been having some funky permission problems involving commits and lock files with our CVS installation. To solve these issues I was planning on executing a script from CVSROOT/loginfo to clean up the repository permissions. Originally I wrote a shell script to do this then made it setuid. However I now realize that linux generally ignores setuid on shell scripts for security reasons. Sooo... I wrote a simple C executable using execl and execlp, however neither of them seem to work.
The C code looks like this:
#include <unistd.h>
int main () { execl("/bin/chown", "-R server /var/cvs/repository"); execl("/bin/chgrp", "-R", "server", "/var/cvs/repository"); execl("/bin/chmod", "-R o+w /var/cvs/repository"); }
Anyone know why this isn't working? Anyone have a better solution to my problem?
Jim Beard counterclaim.com, Inc http://www.counterclaim.com http://openefm.sourceforge.net (800) 264-8145
_______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
_______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
Jim Beard counterclaim.com, Inc http://www.counterclaim.com http://openefm.sourceforge.net (800) 264-8145
_______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
