From owner-freebsd-security Tue Dec 11 2:29:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id B598437B416 for ; Tue, 11 Dec 2001 02:29:29 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16DkBj-0000RV-00; Tue, 11 Dec 2001 10:31:03 +0000 Date: Tue, 11 Dec 2001 10:31:03 +0000 From: Rasputin To: Sheldon Hearn Cc: security@freebsd.org Subject: Re: Accessing as root Message-ID: <20011211103103.A1668@shikima.mine.nu> Reply-To: Rasputin References: <60355.1008000080@axl.seasidesoftware.co.za> <60409.1008000194@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <60409.1008000194@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Mon, Dec 10, 2001 at 06:03:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Sheldon Hearn [011210 16:05]: > > > On Mon, 10 Dec 2001 18:01:20 +0200, Sheldon Hearn wrote: > > > > I need to make some scripts to change the password and another > > > things like that need root permissions, but: > > > > > > How can I do it without opening a security hole in the server? > > > What is the best way to do it? > > > > 1) Limit exposure to just those commands that need privelege, by passing > > your command as arguments to the su(1) command. > > This is stupid advice, sorry. > > You need to make your script setuid root (see chmod(1)). Can you do that on FreeBSD? Most moderm UNIXes don't allow suid scripts. -- Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message