From owner-freebsd-questions@FreeBSD.ORG Sat Aug 29 00:11:31 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E0721065672 for ; Sat, 29 Aug 2009 00:11:31 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 5DFBF8FC08 for ; Sat, 29 Aug 2009 00:11:31 +0000 (UTC) Received: from r55.edvax.de (port-92-195-1-225.dynamic.qsc.de [92.195.1.225]) by mx01.qsc.de (Postfix) with ESMTP id 712903D2DA; Sat, 29 Aug 2009 02:11:29 +0200 (CEST) Received: from r55.edvax.de (localhost [127.0.0.1]) by r55.edvax.de (8.14.2/8.14.2) with SMTP id n7T0BSgS001570; Sat, 29 Aug 2009 02:11:28 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sat, 29 Aug 2009 02:11:28 +0200 From: Polytropon To: Jeronimo Calvo Message-Id: <20090829021128.f4966942.freebsd@edvax.de> In-Reply-To: References: Organization: EDVAX X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: SUID permission on Bash script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2009 00:11:31 -0000 On Fri, 28 Aug 2009 09:24:35 +0100, Jeronimo Calvo wrote: > content of script: > ]#!/usr/local/bin/bash ^ This ] doesn't belong to the script, does it? Furthermore, why do you employ bash for calling another program? It's standard to use sh (#!/bin/sh) if you don't use bash-specific commands and constructs, and I don't see them here. If you care for portablility, such a script is an absulute no-go. Furthermore, in order to perform shutdown -p now it's more convenient to use the sudo command (from ports) and add a rule (for maximum security) for the specific user who you want to be able to run this command. Finally, it's possible to place the user in question into the group "operator", then he can perform the above command without needing (1st) sudo and (2nd) bash. Look at the permissions of the shutdown program: -r-sr-x--- 1 root operator /sbin/shutdown* Members of "operator" are +x for this binary. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...