From owner-freebsd-questions@FreeBSD.ORG Fri Aug 28 10:58:50 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C52B1065672 for ; Fri, 28 Aug 2009 10:58:50 +0000 (UTC) (envelope-from freebsd@optimis.net) Received: from mail.optimis.net (mail.optimis.net [69.104.191.124]) by mx1.freebsd.org (Postfix) with ESMTP id B05B18FC1F for ; Fri, 28 Aug 2009 10:58:49 +0000 (UTC) Received: from marvin.optimis.net (marvin.optimis.net [192.168.1.3]) by mail.optimis.net (8.14.3/8.14.2) with ESMTP id n7SAwmml060326 for ; Fri, 28 Aug 2009 03:58:48 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: from marvin.optimis.net (localhost [127.0.0.1]) by marvin.optimis.net (8.14.3/8.14.3) with ESMTP id n7SAwmGf004655 for ; Fri, 28 Aug 2009 03:58:48 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: (from george@localhost) by marvin.optimis.net (8.14.3/8.14.3/Submit) id n7SAwm4L004654 for freebsd-questions@freebsd.org; Fri, 28 Aug 2009 03:58:48 -0700 (PDT) (envelope-from freebsd@optimis.net) Date: Fri, 28 Aug 2009 03:58:48 -0700 From: George Davidovich To: freebsd-questions@freebsd.org Message-ID: <20090828105848.GA4410@marvin.optimis.net> References: <87y6p4pbd0.fsf@kobe.laptop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.19 (2009-01-05) Subject: Re: SUID permission on Bash script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Aug 2009 10:58:50 -0000 On Fri, Aug 28, 2009 at 10:01:54AM +0100, Jeronimo Calvo wrote: > 2009/8/28 Giorgos Keramidas > > On Fri, 28 Aug 2009 09:24:35 +0100, Jeronimo Calvo > wrote: > > > > > > Im trying to set up a reaaallly basic scrip to allow one user to > > > shutdown my machine without root permisions, seting up SUID as > > > follows: > > > > > > -rwsrwxr-- 1 root wheel 38 Aug 27 23:12 apagar.sh > > > > > > $ ./apagar.sh > > > > > > Permission denied > > > > > > content of script: > > > > > > cat apagar.sh > > > > > > ]#!/usr/local/bin/bash > > > shutdown -p now > > > > > > As far as i know, using SUID, script must runs with root > > > permissions... so i shoudnt get "Permission denied", what im doing > > > wrong?? > > > > No it must not. There are security reasons why shell scripts are not > > setuid-capable. You can find some of them in the archives of the > > mailing list, going back at least until 1997. > > > > The good thing is that you don't need a shell script to do that. You > > can install `sudo' and give permission to the specific user to run: > > > > sudo shutdown -p now > > so SUID can be applied to sh but it doesn't work!, there is not anyway > to apply it? apart from installing sudo?, The thing is that installing > sudo and adding that user into sudoers, that user will be capable to do > any other SU tasks, apart of shutting down... wich i dont like :D (I > know that SUID could be even worst if they edit the .sh file... but lets > believe they dont even know that XD) Please refrain from top-posting. It's both confusing and inconsiderate for anyone trying to read what you write or otherwise trying follow a discussion. First, as has already been pointed out, your approach is A Really Bad Idea and will lead nowhere so forget it. Second, you're misunderstanding sudo. From sudo(8): sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. Note the "as specified". For example, if the sudoers file contains nothing but john ALL= NOPASSWD: /usr/sbin/shutdown then John (and only John) can use sudo to execute /usr/sbin/shutdown, but can't use sudo to execute any other commands. As an alternative to installing sudo, you can add your user to the operator group: pw groupmod operator -m john but be sure to understand the ramifications before doing so. -- George