From owner-freebsd-questions@FreeBSD.ORG  Wed Aug  4 21:17:56 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5750D16A4CE
	for <FreeBSD-Questions@freebsd.org>;
	Wed,  4 Aug 2004 21:17:56 +0000 (GMT)
Received: from chylonia.3miasto.net (chylonia.3miasto.net [213.192.74.6])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1BED243D3F
	for <FreeBSD-Questions@freebsd.org>;
	Wed,  4 Aug 2004 21:17:55 +0000 (GMT)
	(envelope-from wojtek@tensor.3miasto.net)
Received: from chylonia.3miasto.net (wojtek@localhost [127.0.0.1])
	i74LHtgT060188;	Wed, 4 Aug 2004 23:17:55 +0200 (CEST)
	(envelope-from wojtek@tensor.3miasto.net)
Received: from localhost (wojtek@localhost)i74LHtwR060185;
	Wed, 4 Aug 2004 23:17:55 +0200 (CEST)
	(envelope-from wojtek@tensor.3miasto.net)
X-Authentication-Warning: chylonia.3miasto.net: wojtek owned process doing -bs
Date: Wed, 4 Aug 2004 23:17:53 +0200 (CEST)
From: Wojciech Puchar <wojtek@tensor.3miasto.net>
X-X-Sender: wojtek@chylonia.3miasto.net
To: Bill Moran <wmoran@potentialtech.com>
In-Reply-To: <20040804090925.0868e1e3.wmoran@potentialtech.com>
Message-ID: <20040804231659.G59935@chylonia.3miasto.net>
References: <E3F56D7842656F4484C5668BC4D7F298042C18@is~tmxmailhmo1.intranet.telmex.com>
	<20040804090925.0868e1e3.wmoran@potentialtech.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: FreeBSD-Questions@freebsd.org
cc: "Paredes =?ISO-8859-1?Q?S=E1nchez_Mart=EDn?= A." <mparedes@telmex.com>
Subject: Re: The set-user-ID-on-execution
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2004 21:17:56 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> >
> > did I miss something?
>
> Yes.  Scripts can't utilize setuid/setgid.
>
> You can rewrite the script in perl and use the setuid perl interpreter
> (which is basically a workaround for this) or install sudo and give the
> script the ability to call sudo before executing commands that require
> elevated priviledges.


or even better write this in C, or at least do wrapper in C that will make
sure no "tricks" are in environment variables etc. it's quite difficult to
write setuid scripts without security holes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFBEVKCVbTJCKecqu0RAguzAJ9M+MoEItfK84EpSFi/v+OBWbnQ9wCfQLe1
J87ReX6DCOhasKkqoyRTVCc=
=Lj+2
-----END PGP SIGNATURE-----