From owner-freebsd-questions@FreeBSD.ORG Wed Jul 23 12:23:06 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B17C537B401 for ; Wed, 23 Jul 2003 12:23:06 -0700 (PDT) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1378343F3F for ; Wed, 23 Jul 2003 12:23:06 -0700 (PDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.12.9/8.12.9) id h6NJN5KJ024384; Wed, 23 Jul 2003 14:23:05 -0500 (CDT) (envelope-from dan) Date: Wed, 23 Jul 2003 14:23:05 -0500 From: Dan Nelson To: "Gerald S. Stoller" Message-ID: <20030723192305.GB3178@dan.emsphone.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 5.1-CURRENT X-message-flag: Outlook Error User-Agent: Mutt/1.5.4i cc: vze25pmf@verizon.net cc: ryan@sasknow.com cc: freebsd-questions@freebsd.org Subject: Re: set user-id X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2003 19:23:07 -0000 In the last episode (Jul 23), Gerald S. Stoller said: > > > > >From: Dan Nelson > >To: Ryan Thompson > >CC: "Gerald S. Stoller" , vze25pmf@verizon.net, > >FreeBSD Questions > >Subject: Re: set user-id > >Date: Tue, 22 Jul 2003 14:37:29 -0500 > > > >In the last episode (Jul 22), Ryan Thompson said: > >> If you *really* want to have suid scripts, your binary wrapper idea is > >> quite a common trick. Don't get fancy with it, though. A one-liner to > >> execve(2) should really be all you need. Either that, or re-code the > >> whole thing in C (or some other compiled language). C can introduce > >> insecurities of its own, but at least you'd (arguably) have put them > >> there yourself. :-) > > > >I use sudo for stuff like this. I add a line like this in sudoers: > > > I don't understand the next line! > >ALL ALL = NOPASSWD: /usr/local/bin/thescript > ??? Setting a variable?? Okay, invoking the script The sudoers file has a really weird syntax, but what that means is that any user (the first ALL keyword) may run "thescript" as root on any machine (the second ALL keyword; this allows the same file to be replicated to multiple machines) without a password prompt (the NOPASSWD: keyword). > >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D > with a slight change, I copied ksh to /bin with the name kshroot , > made sure > that the group on it is the group of root , and then did > chmod 4750 /bin/kshroot > Thus only the users who are 'close to' root (e.g., generally users who have > the > root password so they can become root if necessary) can run this shell > whenever > they need to act as root , and can use it in scripts (first line: > #!/bin/kshroot). Again > note that these scripts can only be invoked by users who are 'close to' > root. For the > other users, I'd have to use a sudo. That will work, too. -- Dan Nelson dnelson@allantgroup.com