From owner-freebsd-questions@FreeBSD.ORG  Wed Aug  4 13:09:27 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4B89E16A4CE
	for <FreeBSD-Questions@FreeBSD.org>;
	Wed,  4 Aug 2004 13:09:27 +0000 (GMT)
Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net
	[66.167.251.6])	by mx1.FreeBSD.org (Postfix) with ESMTP id 2109643D5A
	for <FreeBSD-Questions@FreeBSD.org>;
	Wed,  4 Aug 2004 13:09:27 +0000 (GMT)
	(envelope-from wmoran@potentialtech.com)
Received: from working.potentialtech.com
	(pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64])
	by internet.potentialtech.com (Postfix) with ESMTP id 244A169A87;
	Wed,  4 Aug 2004 09:09:26 -0400 (EDT)
Date: Wed, 4 Aug 2004 09:09:25 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: Paredes =?ISO-8859-1?Q?S=E1nchez_Mart=EDn?= A. <mparedes@telmex.com>
Message-Id: <20040804090925.0868e1e3.wmoran@potentialtech.com>
In-Reply-To: <E3F56D7842656F4484C5668BC4D7F298042C18@is~tmxmailhmo1.intranet.telmex.com>
References: <E3F56D7842656F4484C5668BC4D7F298042C18@is~tmxmailhmo1.intranet.telmex.com>
Organization: Potential Technologies
X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
cc: FreeBSD-Questions@FreeBSD.org
Subject: Re: The set-user-ID-on-execution
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2004 13:09:27 -0000

Paredes S=E1nchez Mart=EDn A. <mparedes@telmex.com> wrote:
>=20
> Hi:
>=20
> I made a script (for tcsh shell) which add a printer to the system
> (made directories, files, security and made some validations) but
> need root access to accomplish this task.
>=20
> my solution was to setuid the scripts been root
>=20
> # chown root:admin-hmo *.tcsh
> # chmod u=3Dswrx,g=3Drx,o=3D *.tcsh
> # ls -l
> total 4
> -rwsr-x---  1 root  admin-hmo  2024 Aug  3 04:07 impresora.tcsh
> -rwsr-x---  1 root  admin-hmo   275 Jul 30 02:26 seguridad.tcsh
>=20
> The first line of the script is #!/bin/tcsh -fb
>=20
> But when I run the script been other user I had problem with
> the permissions
>=20
> > impresora.tcsh oc81p8707 p1ct203 psct203 raw
> mkdir: /var/spool/lpd/oc81p8707: Permission denied
> touch: /var/spool/lpd/oc81p8707/filter-errors: No such file or directory
> touch: /var/spool/lpd/oc81p8707/accounting-file: No such file or
> directory
> /var/spool/lpd/oc81p8707/minfree: No such file or directory.
>=20
> did I miss something?

Yes.  Scripts can't utilize setuid/setgid.

You can rewrite the script in perl and use the setuid perl interpreter
(which is basically a workaround for this) or install sudo and give the
script the ability to call sudo before executing commands that require
elevated priviledges.

--=20
Bill Moran
Potential Technologies
http://www.potentialtech.com