Re: [gentoo-user] Re: SUID

[Hinko Kocevar]

ABCD wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hinko Kocevar wrote:
>> Hi,
>>
>> I'm trying to touch a file in /sbin during boot time
>> and would like to do that with a normal user by running
>> SUIDed shell script.
>> I have following script:
>> hin...@alala /tmp $ cat test.sh 
>> #!/bin/sh
>>
>> touch /sbin/foo.bar
>> exit $?
>>
>> hin...@alala /tmp $ sudo chmod +x test.sh 
>> hin...@alala /tmp $ sudo chown root:root test.sh 
>> hin...@alala /tmp $ sudo chmod +s test.sh 
>> hin...@alala /tmp $ ls -l test.sh 
>> -rwsr-sr-x 1 root root 32 Mar  2 09:27 test.sh
>> hin...@alala /tmp $ sh -x test.sh 
>> + touch /sbin/foo.bar
>> touch: cannot touch `/sbin/foo.bar': Permission denied
>>
>> Can somebody help me with that?
>>
>> Thank you!
>>
>> Best regards,
>> Hinko
> 
> Linux does not support s[ug]id scripts, however, you can emulate the

Hmm, I was not aware of that..

> effect of it using sudo - in your shell script, do the following:
> 
> #!/bin/sh
> [ $(id -u) -ne 0 ] && exec sudo "$0" "$@"
> 
> # put the rest of the script here
> 
> and add a line to /etc/sudoers that reads:
> 
> ALL ALL=NOPASSWD: /path/to/script
> 
> This will allow any user (the first "ALL") from any host (the second
> "ALL") to run /path/to/script as root:root without any authentication,
> by simply calling /path/to/script (or just "script", if it happens to be
> in the $PATH).
> 
> NB - I havn't actually tried this recently, so I might be wrong on some
> of the specifics, but the general idea should hold.
> 
> Also, if you want to restrict *who* can run the script, you can change
> the first "ALL" to something else, see sudoers(5) for details - also you
> can restrict *where* it can be run by changing the second "ALL".
> 
> If you want to make the user enter *their own* password, remove the
> "NOPASSWD:".  If you want to make the user enter *root's* password, read
> the man page - I don't remember the option, but I know there is one.
> 

Thanks for detailed info!

Best regards,
Hinko

-- 
Hinko Kočevar, OSS developer
ČETRTA POT, d.o.o.
Planina 3, 4000 Kranj, SI EU
tel ++386 (0) 4 280 66 03
e-mail  hinko.koce...@cetrtapot.si
httpwww.cetrtapot.si

[gentoo-user] Re: SUID

[ABCD]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hinko Kocevar wrote:
> Hi,
> 
> I'm trying to touch a file in /sbin during boot time
> and would like to do that with a normal user by running
> SUIDed shell script.
> I have following script:
> hin...@alala /tmp $ cat test.sh 
> #!/bin/sh
> 
> touch /sbin/foo.bar
> exit $?
> 
> hin...@alala /tmp $ sudo chmod +x test.sh 
> hin...@alala /tmp $ sudo chown root:root test.sh 
> hin...@alala /tmp $ sudo chmod +s test.sh 
> hin...@alala /tmp $ ls -l test.sh 
> -rwsr-sr-x 1 root root 32 Mar  2 09:27 test.sh
> hin...@alala /tmp $ sh -x test.sh 
> + touch /sbin/foo.bar
> touch: cannot touch `/sbin/foo.bar': Permission denied
> 
> Can somebody help me with that?
> 
> Thank you!
> 
> Best regards,
> Hinko

Linux does not support s[ug]id scripts, however, you can emulate the
effect of it using sudo - in your shell script, do the following:

#!/bin/sh
[ $(id -u) -ne 0 ] && exec sudo "$0" "$@"

# put the rest of the script here

and add a line to /etc/sudoers that reads:

ALL ALL=NOPASSWD: /path/to/script

This will allow any user (the first "ALL") from any host (the second
"ALL") to run /path/to/script as root:root without any authentication,
by simply calling /path/to/script (or just "script", if it happens to be
in the $PATH).

NB - I havn't actually tried this recently, so I might be wrong on some
of the specifics, but the general idea should hold.

Also, if you want to restrict *who* can run the script, you can change
the first "ALL" to something else, see sudoers(5) for details - also you
can restrict *where* it can be run by changing the second "ALL".

If you want to make the user enter *their own* password, remove the
"NOPASSWD:".  If you want to make the user enter *root's* password, read
the man page - I don't remember the option, but I know there is one.

- --
ABCD
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF
DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB
=NE1x
-END PGP SIGNATURE-