From owner-freebsd-hackers@FreeBSD.ORG Sat Jul 25 01:47:44 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E22E6106566C for ; Sat, 25 Jul 2009 01:47:44 +0000 (UTC) (envelope-from unixmania@gmail.com) Received: from mail-fx0-f208.google.com (mail-fx0-f208.google.com [209.85.220.208]) by mx1.freebsd.org (Postfix) with ESMTP id 733188FC14 for ; Sat, 25 Jul 2009 01:47:44 +0000 (UTC) (envelope-from unixmania@gmail.com) Received: by fxm4 with SMTP id 4so42011fxm.43 for ; Fri, 24 Jul 2009 18:47:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=pSqGNOzOMWbpbUewIPBA3P/aGKN/O5o00OhRMEOnqxw=; b=wry6RNTgmHURHobLoY/97VdjpLtdU6KwV6pHJJbJlMPub3V+z6yyuXQZke4NEmeuBR bOCX6Ll2V7trOWDnPYn8fAtv0IyohLwc+CuEhpAP9Qf4y4Axd3DV9YTvKQiZOhOvQhZZ 47cMrOCa31p/pNteT/99BEuQwptbca8Dep8aE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=hh4jnn+CdhI1qF+hHSzyKMqScNSjnU6FOnCCSAkKuIJH+cR1FIHLS4LEr5PrOEOZzk zQiiW2y7J3vCZIt618epG9tMReS0ptFyaRZRcAufD3fVJRSSj90Xs4XsNAJL0wnqaDJC lt340JttyiLwEBdaEx+j3sTkIMRTE70sEeEz8= MIME-Version: 1.0 Received: by 10.239.175.131 with SMTP id n3mr400557hbf.82.1248486463476; Fri, 24 Jul 2009 18:47:43 -0700 (PDT) In-Reply-To: <19939654343.20090722214221@mail.ru> References: <19939654343.20090722214221@mail.ru> Date: Fri, 24 Jul 2009 22:47:43 -0300 Message-ID: From: "Carlos A. M. dos Santos" To: Anthony Pankov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: Re: SGID/SUID on scripts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jul 2009 01:47:45 -0000 On Wed, Jul 22, 2009 at 2:42 PM, Anthony Pankov wrote: > > SGID/SUID bits don't work with shell scripts, do they? No. A possible workaround is have a SUID/SGID version of you interpreter and use it. Something like # pw groupadd -n sush -g 401 # cp /bin/sh /bin/sush # chown root:sush /bin/sush # chmod 4750 /bin/sush # pw usermod johndoe -G sush Then start your script with "#!/bin/sush" and user johndoe,as well as any member of the "sush" group will be able to it run as root. I think I don't need to warn you that they will be able to run *any* command as root, in fact. For a better approach, consider using sudo, instead (/usr/ports/security/sudo). -- My preferred quotation of Robert Louis Stevenson is "You cannot make an omelette without breaking eggs". Not because I like the omelettes, but because I like the sound of eggs being broken.