Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Jul 2003 14:57:58 -0400
From:      "Gerald S. Stoller" <gs_stoller@hotmail.com>
To:        dnelson@allantgroup.com, ryan@sasknow.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: set user-id
Message-ID:  <Sea1-F81yeKzGZuNY1S00001c1b@hotmail.com>
next in thread | raw e-mail | index | archive | help 



>From: Dan Nelson <dnelson@allantgroup.com>
>To: Ryan Thompson <ryan@sasknow.com>
>CC: "Gerald S. Stoller" <gs_stoller@hotmail.com>, vze25pmf@verizon.net,   
>FreeBSD Questions <freebsd-questions@freebsd.org>
>Subject: Re: set user-id
>Date: Tue, 22 Jul 2003 14:37:29 -0500
>
>In the last episode (Jul 22), Ryan Thompson said:
> > If you *really* want to have suid scripts, your binary wrapper idea is
> > quite a common trick. Don't get fancy with it, though. A one-liner to
> > execve(2) should really be all you need. Either that, or re-code the
> > whole thing in C (or some other compiled language). C can introduce
> > insecurities of its own, but at least you'd (arguably) have put them
> > there yourself. :-)
>
>I use sudo for stuff like this.  I add a line like this in sudoers:
>
    I don't understand the next line!
>ALL             ALL = NOPASSWD: /usr/local/bin/thescript
  ???             Setting a variable??     Okay, invoking the script
>
>and put this it the top of thescript:
>
>#! /bin/sh
>if [ $(id -u) -ne 0 ] ; then
>   if [ "$TRYINGSUDO" = "1" ] ; then
>     echo "Cannot get admin priviledges!  Exiting"
>     exit 1
>   else
>     export TRYINGSUDO=1
>     exec sudo $0 "$@"
>   fi
>fi
>
>--
>	Dan Nelson
>	dnelson@allantgroup.com

        I tried a suggestion by Ryan (slipping in something from his email)
>>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
with a slight change, I copied  ksh  to  /bin  with the name  kshroot , made 
sure
that the group on it is the group of  root , and then did
                  chmod 4750  /bin/kshroot
Thus only the users who are 'close to' root (e.g., generally users who have 
the
root  password so they can become  root  if necessary) can run this shell 
whenever
they need to act as  root , and can use it in scripts (first line: 
#!/bin/kshroot).  Again
note that these scripts can only be invoked by users who are 'close to' 
root.  For the
other users, I'd have to use a sudo.

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Sea1-F81yeKzGZuNY1S00001c1b>