From owner-freebsd-questions@FreeBSD.ORG Wed May 11 09:59:54 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 230EF1065670 for ; Wed, 11 May 2011 09:59:54 +0000 (UTC) (envelope-from j.mckeown@ru.ac.za) Received: from d.mail.ru.ac.za (d.mail.ru.ac.za [IPv6:2001:4200:1010::25:4]) by mx1.freebsd.org (Postfix) with ESMTP id A14138FC0A for ; Wed, 11 May 2011 09:59:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ru.ac.za; s=ru-msa; h=X-Authenticated-User:Message-Id:Content-Type:MIME-Version:Date:Subject:To:From; bh=LDxrfYvAEreiBuyJBsdftUQQnvUIKeaVe8I+ebQUJec=; b=KsWvGrjHcJP6VzWp9+ov+TcXtnpYDuuqaOK5lXAqYg6+YwQdjmKvSyQXRw92hrDvpzIiDj57+0dAxxEs8xq1jvz5PFyeoUENlr2AeW49iPgQP935da7JGp8m4Kh5MsKS; Received: from vorkosigan.ru.ac.za ([2001:4200:1010:1058:219:d1ff:fe9f:a932]:50217) by d.mail.ru.ac.za with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.75 (FreeBSD)) (envelope-from ) id 1QK6Cq-0001PU-Gl for freebsd-questions@freebsd.org; Wed, 11 May 2011 11:59:48 +0200 From: Jonathan McKeown Organization: Rhodes University To: freebsd-questions@freebsd.org Date: Wed, 11 May 2011 11:59:48 +0200 User-Agent: KMail/1.9.10 References: <4DC9DE2C.6070605@telting.org> In-Reply-To: X-Face: $@VrUx^RHy/}yu]jKf/<4T%/d|F+$j-Ol2"2J$q+%OK1]&/G_S9(=?utf-8?q?HkaQ*=60!=3FYOK=3FY!=27M=60C=0A=09aP=5C9nVPF8Q=7DCilHH8l=3B=7E!4?= =?utf-8?q?2HK6=273lg4J=7Daz?=@1Dqqh:J]M^"YPn*2IWrZON$1+G?oX3@ =?utf-8?q?k=230=0A=0954XDRg=3DYn=5FF-etwot4U=24b?=dTS{i X-Virus-Scanned: d.mail.ru.ac.za (2001:4200:1010::25:4) X-Authenticated-User: s0900137 from vorkosigan.ru.ac.za (2001:4200:1010:1058:219:d1ff:fe9f:a932) using auth_plaintext Subject: Re: Established method to enable suid scripts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 09:59:54 -0000 On Wednesday 11 May 2011 04:19:29 Devin Teske wrote: > > The reason that the suid bit doesn't work on scripts (shell, perl, or > otherwise) is because these are essentially text files that are interpreted > by their associated interpreter. It is the interpreter itself that must be > suid. I'm pretty sure that's not the case, although I'm open to correction. The reason the system ignores the suid bit on a script is because of what would happen when it's executed: 1) the script is read from a file called and the system notices that it needs to be interpreted by another program. 2) that program is launched and told to re-open the file named and execute its contents with suid privilege. The problem is a race condition: there's no guarantee that the filename opened by the interpreter in step 2 is the same file the user executed in step 1. There are two common ways round this: ignore the suid bit; or arrange within the OS to pass a handle to the original file rather than a filename so that the script can't be changed out from under the interpreter. Jonathan