From owner-freebsd-questions@FreeBSD.ORG  Thu Sep 11 00:33:42 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DE18916A4BF
	for <freebsd-questions@freebsd.org>;
	Thu, 11 Sep 2003 00:33:42 -0700 (PDT)
Received: from hotmail.com (sea1-f162.sea1.hotmail.com [207.68.163.162])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 478834400B
	for <freebsd-questions@freebsd.org>;
	Thu, 11 Sep 2003 00:33:42 -0700 (PDT)
	(envelope-from gs_stoller@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Thu, 11 Sep 2003 00:33:41 -0700
Received: from 67.31.59.151 by sea1fd.sea1.hotmail.msn.com with HTTP;
	Thu, 11 Sep 2003 07:33:40 GMT
X-Originating-IP: [67.31.59.151]
X-Originating-Email: [gs_stoller@hotmail.com]
From: "Gerald S. Stoller" <gs_stoller@hotmail.com>
To: dnelson@allantgroup.com
Date: Thu, 11 Sep 2003 03:33:40 -0400
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Sea1-F1627ImxUkMxLf00004ef3@hotmail.com>
X-OriginalArrivalTime: 11 Sep 2003 07:33:41.0874 (UTC)
	FILETIME=[062E5520:01C37837]
cc: vze25pmf@verizon.net
cc: ryan@sasknow.com
cc: freebsd-questions@freebsd.org
Subject: Re: set user-id
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2003 07:33:43 -0000




>From: Dan Nelson <dnelson@allantgroup.com>
>To: "Gerald S. Stoller" <gs_stoller@hotmail.com>
>CC: ryan@sasknow.com, vze25pmf@verizon.net, freebsd-questions@freebsd.org
>Subject: Re: set user-id
>Date: Wed, 23 Jul 2003 14:23:05 -0500
>
(snip)
> > > Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> > with a slight change, I copied  ksh  to  /bin  with the name  kshroot ,
> > made sure
> > that the group on it is the group of  root , and then did
> >                  chmod 4750  /bin/kshroot
> > Thus only the users who are 'close to' root (e.g., generally users who 
>have the
> > root  password so they can become  root  if necessary) can run this 
>shell
> > whenever they need to act as  root , and can use it in scripts (first 
>line:
> > #!/bin/kshroot).  Again
> > note that these scripts can only be invoked by users who are 'close to'
> > root.  For the other users, I'd have to use a sudo.
>
>That will work, too.
>
>--
>	Dan Nelson
>	dnelson@allantgroup.com

        I suggest that the  FreeBSD  system have an argument (or option,
if arguments are not allowed) on the kernel which will have it (when the
setuid/setgid  is on a script and the shell/interpreter is 
hallowed/sanctioned)
invoke the interpreter and express the  setuid/setgid  of the script on it,
and then have it interpret the script.  If it can’t be done this way, then 
make
the feature a configuration option at the time of building the kernel.
      Care must be taken in implementing the  setuid  feature.  As a friend 
noted:
"Suppose
	current use		is U
	/bin/prog		is setuid to P
	script		is setuid to S and begins #!/bin/prog
then the ksh command
	prog script	 	runs as P
	prog <script	runs as P
	script		runs as S
	. script		runs as U
That's the way it is on Unix systems that I use,
and the freeBSD man page seems to agree."

_________________________________________________________________
Compare Cable, DSL or Satellite plans: As low as $29.95.  
https://broadband.msn.com