From owner-freebsd-questions Wed Jun 11 09:28:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA02931 for questions-outgoing; Wed, 11 Jun 1997 09:28:25 -0700 (PDT) Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA02926 for ; Wed, 11 Jun 1997 09:28:20 -0700 (PDT) Received: from buffnet9.buffnet.net (buffnet9.buffnet.net [205.246.19.19]) by buffnet4.buffnet.net (8.7.5/8.7.3) with SMTP id MAA07965; Wed, 11 Jun 1997 12:28:01 -0400 (EDT) Received: from buffnet11.buffnet.net(205.246.19.55) by buffnet9.buffnet.net via smap (V2.0) id xma013591; Wed, 11 Jun 97 12:26:24 -0400 Date: Wed, 11 Jun 1997 12:27:43 -0400 (EDT) From: Steve Hovey To: "Paul T. Root" cc: ellis@kcc.com, freebsd-questions@FreeBSD.ORG Subject: Re: Set execution UID on script In-Reply-To: <199706111447.JAA25743@horton.iaces.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Im pretty sure - if you want a script to run suid, you need to wrap a program around it that runs suid and then calls it - I think thats why majordomo has a program called 'wrapper' On Wed, 11 Jun 1997, Paul T. Root wrote: > In a previous message, Steve Hovey said: > > > > Shell scripts cant be suid for security reasons. > > They certainly aren't a good idea, but are they disabled? > > Here's a Setuid perl script that does the trick. You will > need to build perl5.004 (as prior versions have a security > hole discovered a couple of weeks ago). Enable setuid emulation. > > > Note, I do a little redundant checking of the pid (both the > file and ps) to give a better feeling that someone didn't > write a fake named that execs a (root) shell on a HUP. > > #!/usr/local/bin/suidperl > > require "tainted.pl"; > > $ENV{'PATH'} = '/usr/bin'; > $PIDFILE = "/var/run/named.pid"; > > open (PID, "<$PIDFILE") || die "Couldn't open $PIDFILE"; > $pid = ; > chop ($pid); > close (PID); > > # > # Get the process id of in.named. > # > open (PS, "/bin/ps -ax |" ) || die "Couldn't exec ps"; > > while () { > last if ( grep ( /named/, $_ )); > } > > # Untaint the pid. > $_ =~ /\s*(\d+)\s.*/; > $upid = $1; > > # Just to be sure > die "$pid != $upid" if ($pid != $upid); > die "$upid is tainted" if (&tainted ($upid)); > > # > # send the HUP signal to in.named > # > kill("HUP",$upid); > > > > > > On Tue, 10 Jun 1997, Joshua J. Ellis wrote: > > > > > > > > I'm missing something on a script I'm attempting to setup for an > > > administration group. The script is this: > > > > > > #!/bin/sh > > > kill -hup `cat /var/run/named.hup` > > > > > > I then do a "chown root:staff rs-named" followed by a "chmod 6750 rs-named". > 4750 would be sufficient, you don't need to setgid. > > > > > That gives me an set of permissions like this: > > > > > > -rwsr-s--- 1 root staff 46 Jun 10 16:56 rs-named > > > > > > Shouldn't this allow users of the 'staff' group to successfully execute this > > > command? When I try to execute it as anyone but root, I get the following > > > error: > > > > > > kill: 230: Operation not permitted > > > > > > 230 is the PID of named. If it is executing as root, why is kill refusing to > > > send a message to the process? > > > > > > -joshua > > > -- > > > ****[ S-D-G ]***************************************[-0.8090169943749]*** > > > Joshua Ellis, IS Consultant - Omni Resources, Green Bay, WI (800)236-2332 > > > ellis@kcc.com http://www.kimberly-clark.com > > > joshe@elltech.com http://www.joshua.elltech.com > > > > poet-apostate-philosopher-musician-pinhead-hwarang-webmaestro-japh < > > > ************************************************************************* > > > > > > > > > > > > > > > > > > -- > It is possible to fly without motors, but not without knowledge and skill. > -- Wilbur Wright >