Date: Tue, 22 Jul 2003 14:37:29 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Ryan Thompson <ryan@sasknow.com> Cc: vze25pmf@verizon.net Subject: Re: set user-id Message-ID: <20030722193729.GH94261@dan.emsphone.com> In-Reply-To: <20030722123627.A21583-100000@ren.sasknow.com> References: <Sea1-F1124yp8ARf3sl0001b188@hotmail.com> <20030722123627.A21583-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jul 22), Ryan Thompson said:
> If you *really* want to have suid scripts, your binary wrapper idea is
> quite a common trick. Don't get fancy with it, though. A one-liner to
> execve(2) should really be all you need. Either that, or re-code the
> whole thing in C (or some other compiled language). C can introduce
> insecurities of its own, but at least you'd (arguably) have put them
> there yourself. :-)
I use sudo for stuff like this. I add a line like this in sudoers:
ALL ALL = NOPASSWD: /usr/local/bin/thescript
and put this it the top of thescript:
#! /bin/sh
if [ $(id -u) -ne 0 ] ; then
if [ "$TRYINGSUDO" = "1" ] ; then
echo "Cannot get admin priviledges! Exiting"
exit 1
else
export TRYINGSUDO=1
exec sudo $0 "$@"
fi
fi
--
Dan Nelson
dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030722193729.GH94261>