Date: Wed, 11 May 2011 11:59:48 +0200 From: Jonathan McKeown <j.mckeown@ru.ac.za> To: freebsd-questions@freebsd.org Subject: Re: Established method to enable suid scripts? Message-ID: <201105111159.48185.j.mckeown@ru.ac.za> In-Reply-To: <D66F1159-6815-4AD7-9687-FCF8969A4E66@vicor.com> References: <4DC9DE2C.6070605@telting.org> <D66F1159-6815-4AD7-9687-FCF8969A4E66@vicor.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 11 May 2011 04:19:29 Devin Teske wrote: > > The reason that the suid bit doesn't work on scripts (shell, perl, or > otherwise) is because these are essentially text files that are interpreted > by their associated interpreter. It is the interpreter itself that must be > suid. I'm pretty sure that's not the case, although I'm open to correction. The reason the system ignores the suid bit on a script is because of what would happen when it's executed: 1) the script is read from a file called <filename> and the system notices that it needs to be interpreted by another program. 2) that program is launched and told to re-open the file named <filename> and execute its contents with suid privilege. The problem is a race condition: there's no guarantee that the filename opened by the interpreter in step 2 is the same file the user executed in step 1. There are two common ways round this: ignore the suid bit; or arrange within the OS to pass a handle to the original file rather than a filename so that the script can't be changed out from under the interpreter. Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105111159.48185.j.mckeown>