From: Dan Nelson <[EMAIL PROTECTED]> To: "Gerald S. Stoller" <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: set user-id Date: Wed, 23 Jul 2003 14:23:05 -0500
In the last episode (Jul 23), Gerald S. Stoller said:
> >From: Dan Nelson <[EMAIL PROTECTED]>
> >To: Ryan Thompson <[EMAIL PROTECTED]>
> >CC: "Gerald S. Stoller" <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
> >FreeBSD Questions <[EMAIL PROTECTED]>
> >Subject: Re: set user-id
> >Date: Tue, 22 Jul 2003 14:37:29 -0500
> >In the last episode (Jul 22), Ryan Thompson said:
> >> If you *really* want to have suid scripts, your binary wrapper idea is
> >> quite a common trick. Don't get fancy with it, though. A one-liner to
> >> execve(2) should really be all you need. Either that, or re-code the
> >> whole thing in C (or some other compiled language). C can introduce
> >> insecurities of its own, but at least you'd (arguably) have put them
> >> there yourself. :-)
> >I use sudo for stuff like this. I add a line like this in sudoers:
> I don't understand the next line!
> >ALL ALL = NOPASSWD: /usr/local/bin/thescript
> ??? Setting a variable?? Okay, invoking the script
The sudoers file has a really weird syntax, but what that means is that any user (the first ALL keyword) may run "thescript" as root on any machine (the second ALL keyword; this allows the same file to be replicated to multiple machines) without a password prompt (the NOPASSWD: keyword).
> >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> with a slight change, I copied ksh to /bin with the name kshroot ,
> made sure
> that the group on it is the group of root , and then did
> chmod 4750 /bin/kshroot
> Thus only the users who are 'close to' root (e.g., generally users who have
> root password so they can become root if necessary) can run this shell
> they need to act as root , and can use it in scripts (first line:
> #!/bin/kshroot). Again
> note that these scripts can only be invoked by users who are 'close to'
> root. For the
> other users, I'd have to use a sudo.
That will work, too.
-- Dan Nelson [EMAIL PROTECTED]
Thinking about this a little more, let's think of these scripts as being text that is to be interpreted and specifies its interpretor somehow (say as the scripts do, on the first line with '#!' and then a path to the interpretor). When such a file has set user-id on, the user-id of the file is put on its interpretor (similar action for the group-id) and then the interpretor is run. This is probably just a small change in the kernel and should make things run smoothly. [What module of the kernel takes care of:
1) determining if a file (about to be invoked) has set user-id on,
2) making the user-id of the file the effecive user-id of the process,
3) accepting from a shell an instruction as to which shell to use to interpret a script file]
I may try ro do this on my own if these three questions are answered (and maybe some others, I notice that the source code is sparse on comments and directions as to what purpose structures are used, so I may not get enough info to do this just from these questions).
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"