Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 Sep 2003 03:33:40 -0400
From:      "Gerald S. Stoller" <gs_stoller@hotmail.com>
To:        dnelson@allantgroup.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: set user-id
Message-ID:  <Sea1-F1627ImxUkMxLf00004ef3@hotmail.com>
next in thread | raw e-mail | index | archive | help 



>From: Dan Nelson <dnelson@allantgroup.com>
>To: "Gerald S. Stoller" <gs_stoller@hotmail.com>
>CC: ryan@sasknow.com, vze25pmf@verizon.net, freebsd-questions@freebsd.org
>Subject: Re: set user-id
>Date: Wed, 23 Jul 2003 14:23:05 -0500
>
(snip)
> > > Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> > with a slight change, I copied  ksh  to  /bin  with the name  kshroot ,
> > made sure
> > that the group on it is the group of  root , and then did
> >                  chmod 4750  /bin/kshroot
> > Thus only the users who are 'close to' root (e.g., generally users who 
>have the
> > root  password so they can become  root  if necessary) can run this 
>shell
> > whenever they need to act as  root , and can use it in scripts (first 
>line:
> > #!/bin/kshroot).  Again
> > note that these scripts can only be invoked by users who are 'close to'
> > root.  For the other users, I'd have to use a sudo.
>
>That will work, too.
>
>--
>	Dan Nelson
>	dnelson@allantgroup.com

        I suggest that the  FreeBSD  system have an argument (or option,
if arguments are not allowed) on the kernel which will have it (when the
setuid/setgid  is on a script and the shell/interpreter is 
hallowed/sanctioned)
invoke the interpreter and express the  setuid/setgid  of the script on it,
and then have it interpret the script.  If it can’t be done this way, then 
make
the feature a configuration option at the time of building the kernel.
      Care must be taken in implementing the  setuid  feature.  As a friend 
noted:
"Suppose
	current use		is U
	/bin/prog		is setuid to P
	script		is setuid to S and begins #!/bin/prog
then the ksh command
	prog script	 	runs as P
	prog <script	runs as P
	script		runs as S
	. script		runs as U
That's the way it is on Unix systems that I use,
and the freeBSD man page seems to agree."

_________________________________________________________________
Compare Cable, DSL or Satellite plans: As low as $29.95.  
https://broadband.msn.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Sea1-F1627ImxUkMxLf00004ef3>