From owner-freebsd-questions@FreeBSD.ORG Wed May 11 16:48:44 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97A941065674 for ; Wed, 11 May 2011 16:48:44 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from mail1.sourcehosting.net (mail1.sourcehosting.net [74.205.51.45]) by mx1.freebsd.org (Postfix) with ESMTP id 6CB0A8FC0A for ; Wed, 11 May 2011 16:48:44 +0000 (UTC) Received: from 68-189-245-235.dhcp.oxfr.ma.charter.com ([68.189.245.235] helo=cube.entropy.prv) by mail1.sourcehosting.net with esmtp (Exim 4.73 (FreeBSD)) (envelope-from ) id 1QKCYG-000Eea-39; Wed, 11 May 2011 12:46:25 -0400 Received: from v104.entropy.prv (v104.entropy.prv [192.168.1.104]) by cube.entropy.prv (Postfix) with ESMTP id 689384DE9D64; Wed, 11 May 2011 12:48:37 -0400 (EDT) Message-ID: <4DCABDE5.3090603@FreeBSD.org> Date: Wed, 11 May 2011 12:48:37 -0400 From: Greg Larkin Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: Alejandro Imass References: <4DC9DE2C.6070605@telting.org> <20110511141420.GD41080@gizmo.acns.msu.edu> In-Reply-To: X-Enigmail-Version: 1.1.1 OpenPGP: id=1C940290 X-SA-Exim-Connect-IP: 68.189.245.235 X-SA-Exim-Mail-From: glarkin@FreeBSD.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail1.sourcehosting.net X-Spam-Level: *** X-Spam-Status: No, score=3.3 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL, RCVD_IN_RP_RNBL, RCVD_IN_SORBS_DUL, RDNS_DYNAMIC, TVD_RCVD_IP autolearn=no version=3.3.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail1.sourcehosting.net) Cc: Jerry McAllister , Chris Telting , freebsd-questions@freebsd.org Subject: Re: Established method to enable suid scripts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: glarkin@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2011 16:48:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/11/11 12:31 PM, Alejandro Imass wrote: > On Wed, May 11, 2011 at 10:14 AM, Jerry McAllister wrote: >> On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: >> >>> I've googled for over an hour. > > As other have said suiding on scripts is not allowed in modern > versions of Unix. What I do for example, is create small C programs > suid them and use those special suid execs to do special stuff. For > example, if I need to erase some files created by the mysql daemon > process I will create a C exec called suidrm and have it suid to the > mysql owner so I can remove the temp files from an Apache CGI for > example. Any suid exec should be carefully evaluated and meant for one > specific thing, and avoid suiding to root if at all possible. If you > must you can copy the exec with a different name and suid it for a > specific purpose with a specific user, preferably not root. > > Anyway, with the simple C program wrapper approach I have solved many > things like what you're trying to do. > > Best, > > -- > Alejandro Imass To the OP and others - you'll find tons of hits for "setuid wrapper" in Google (http://www.google.com/search?q=setuid+wrapper&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a), but be very careful if you decide to compile one of them for use in your environment. It might be worth checking out some of the Apache suEXEC documentation to understand all of the security checks they have implemented: http://httpd.apache.org/docs/2.2/suexec.html Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3KveUACgkQ0sRouByUApBP6wCeOuMVod5erYOtYQqTDVmgcmaP fdsAoMUMrPkJWvs2ZZEOMMgmVBu2xlcv =h1f6 -----END PGP SIGNATURE-----