Date: Fri, 17 Sep 2004 16:53:31 -0400 From: mailing lists at MacTutor <lists@mactutor.biz> To: Richard Bradley <rtb27@cam.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: how to make an executable run as another user Message-ID: <A21CB3BE-08EB-11D9-8547-000A95775140@mactutor.biz> In-Reply-To: <200409171950.19717.rtb27@cam.ac.uk> References: <200409171950.19717.rtb27@cam.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Rich, Someone else had responded to your post explaining that setuid does not work with shell scripts. Nor does it work with any interpreted input. The following article might help explain this (and others): http://www.evolt.org/article/UNIX_File_Permissions_and_Setuid_Part_2/ 18/263/ QUOTE: "In most UNIX kernels there exists what is called a 'race condition' when executing scripts. Scripts are pieces of code which are interpreted by, strangely enough, interpreters. Common examples of interpreters are perl, sed, and awk. So when you have in your perl code #!/usr/local/bin/perl it tells the operating system to start executing the perl interpreter with the current script as input. Between the time that the perl interpreter starts executing and the time that it reads in your script the 'race condition' exists. At this time, a mischievous person could 'win the race' and be able to replace your script with another. And if your script is running as setuid, that person's script would run as your user! So their script could do anything that you could do from the command line. As a result, most UNIX kernels will disable users from running scripts as setuid. The most common way around this is to create a wrapper program around your script. A wrapper, in this context, is a small program, possibly written in C, that when executed will simply run your script. The 'race condition' does not exist for real executables and so you won't be thwarted by the kernel itself." I'm not exceptionally well versed in this stuff. But I think this is what you're after. Alex On Sep 17, 2004, at 3:50 PM, Richard Bradley wrote: > Um. I feel silly asking this. But I can't work it out. > > I want a shell script to run as another user. I always thought this > was easy > to do with the setuid bit, but never tried it before. I read "man > chmod" and > found this: > > ..... > 4000 (the setuid bit). Executable files with this bit set will > run with effective uid set to the uid of the file > owner. > ..... > s The set-user-ID-on-execution and set-group-ID-on-execution > bits. > .... > > And off I went. I wrote a shell script to output the current uid. I > chown'ed > it to another user. I "chmod +s"ed it. I ran it. > > It didn't work. > > ----- > > rtb27# cat test > #! /bin/sh > whoami > rtb27# ll test > -rwsr-sr-x 1 rich wheel 20 Sep 17 19:34 test > rtb27# ./test > root > > -------- > > Um. Help? > > > > Rich > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Alexander Sendzimir (owner) 802 863 5502 MacTutor: Apple Mac OS X Consulting info@mactutor.biz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A21CB3BE-08EB-11D9-8547-000A95775140>