Date: Wed, 23 Jul 2003 14:23:05 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: "Gerald S. Stoller" <gs_stoller@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: set user-id Message-ID: <20030723192305.GB3178@dan.emsphone.com> In-Reply-To: <Sea1-F81yeKzGZuNY1S00001c1b@hotmail.com> References: <Sea1-F81yeKzGZuNY1S00001c1b@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jul 23), Gerald S. Stoller said: > > > > >From: Dan Nelson <dnelson@allantgroup.com> > >To: Ryan Thompson <ryan@sasknow.com> > >CC: "Gerald S. Stoller" <gs_stoller@hotmail.com>, vze25pmf@verizon.net, > >FreeBSD Questions <freebsd-questions@freebsd.org> > >Subject: Re: set user-id > >Date: Tue, 22 Jul 2003 14:37:29 -0500 > > > >In the last episode (Jul 22), Ryan Thompson said: > >> If you *really* want to have suid scripts, your binary wrapper idea is > >> quite a common trick. Don't get fancy with it, though. A one-liner to > >> execve(2) should really be all you need. Either that, or re-code the > >> whole thing in C (or some other compiled language). C can introduce > >> insecurities of its own, but at least you'd (arguably) have put them > >> there yourself. :-) > > > >I use sudo for stuff like this. I add a line like this in sudoers: > > > I don't understand the next line! > >ALL ALL = NOPASSWD: /usr/local/bin/thescript > ??? Setting a variable?? Okay, invoking the script The sudoers file has a really weird syntax, but what that means is that any user (the first ALL keyword) may run "thescript" as root on any machine (the second ALL keyword; this allows the same file to be replicated to multiple machines) without a password prompt (the NOPASSWD: keyword). > >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D > with a slight change, I copied ksh to /bin with the name kshroot , > made sure > that the group on it is the group of root , and then did > chmod 4750 /bin/kshroot > Thus only the users who are 'close to' root (e.g., generally users who have > the > root password so they can become root if necessary) can run this shell > whenever > they need to act as root , and can use it in scripts (first line: > #!/bin/kshroot). Again > note that these scripts can only be invoked by users who are 'close to' > root. For the > other users, I'd have to use a sudo. That will work, too. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030723192305.GB3178>