Date: Mon, 16 Jun 1997 13:22:55 -0400 From: Randall Hopper <rhh@ct.picker.com> To: Steve Hovey <shovey@buffnet.net> Cc: questions@freebsd.org Subject: Re: Set execution UID on script -- A Question Message-ID: <19970616132255.62171@ct.picker.com> In-Reply-To: <Pine.BSI.3.95.970611092114.9324C-100000@buffnet11.buffnet.net>; from Steve Hovey on Wed, Jun 11, 1997 at 09:21:25AM -0400 References: <01BC75C2.A3B27CA0.ellis@kcc.com> <Pine.BSI.3.95.970611092114.9324C-100000@buffnet11.buffnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
|Shell scripts cant be suid for security reasons.
Are there any inherent problems with the setuid scheme used on Solaris
boxes (aside from logic problems introduced by the script writer)? If not,
we might consider switching to that method. Seems like part of the
differences involve the passing of the name of the script to the
interpreter via /dev/fd/3 rather than passing a pathname on the
command-line.
To write setuid scripts on Solaris one simply uses:
"#!/bin/sh -p" or "#!/bin/csh -fb"
at the top of scripts, where:
SH:
-p If the -p flag is present, the shell will not set
the effective user and group IDs to the real user
and group IDs.
CSH:
-b Force a break from option processing. Subsequent
command line arguments are not interpreted as C
shell options. This allows the passing of options
to a script without confusion. The shell does not
run set-user-ID or set-group-ID scripts unless
this option is present.
-f Fast start. Read neither the .cshrc file, nor the
.login file (if a login shell) upon startup.
Of course, its up to the script writer to be sensible in writing the
script, as in Perl (e.g. override PATH, etc.). But setuid perl is
supported, so that's not really an issue.
Randall Hopper
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970616132255.62171>