Date: Wed, 11 May 2011 12:31:42 -0400 From: Alejandro Imass <ait@p2ee.org> To: Jerry McAllister <jerrymc@msu.edu> Cc: Chris Telting <christopher-ml@telting.org>, freebsd-questions@freebsd.org Subject: Re: Established method to enable suid scripts? Message-ID: <BANLkTimCQ5TLBH_w48q2zbQaBJj9jog2%2Bg@mail.gmail.com> In-Reply-To: <20110511141420.GD41080@gizmo.acns.msu.edu> References: <4DC9DE2C.6070605@telting.org> <20110511141420.GD41080@gizmo.acns.msu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 11, 2011 at 10:14 AM, Jerry McAllister <jerrymc@msu.edu> wrote: > On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: > >> I've googled for over an hour. As other have said suiding on scripts is not allowed in modern versions of Unix. What I do for example, is create small C programs suid them and use those special suid execs to do special stuff. For example, if I need to erase some files created by the mysql daemon process I will create a C exec called suidrm and have it suid to the mysql owner so I can remove the temp files from an Apache CGI for example. Any suid exec should be carefully evaluated and meant for one specific thing, and avoid suiding to root if at all possible. If you must you can copy the exec with a different name and suid it for a specific purpose with a specific user, preferably not root. Anyway, with the simple C program wrapper approach I have solved many things like what you're trying to do. Best, -- Alejandro Imass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTimCQ5TLBH_w48q2zbQaBJj9jog2%2Bg>