Date: Fri, 28 Aug 2009 03:58:48 -0700 From: George Davidovich <freebsd@optimis.net> To: freebsd-questions@freebsd.org Subject: Re: SUID permission on Bash script Message-ID: <20090828105848.GA4410@marvin.optimis.net> In-Reply-To: <beaf3aa50908280201h7538b1e9q9acd58296da107db@mail.gmail.com> References: <beaf3aa50908280124pbd2c760v8d51eb4ae965dedc@mail.gmail.com> <87y6p4pbd0.fsf@kobe.laptop> <beaf3aa50908280200p1f5338eaud3e6fc371689580b@mail.gmail.com> <beaf3aa50908280201h7538b1e9q9acd58296da107db@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 28, 2009 at 10:01:54AM +0100, Jeronimo Calvo wrote: > 2009/8/28 Giorgos Keramidas <keramida@ceid.upatras.gr> > > On Fri, 28 Aug 2009 09:24:35 +0100, Jeronimo Calvo > <jeronimocalvop@googlemail.com> wrote: > > > > > > Im trying to set up a reaaallly basic scrip to allow one user to > > > shutdown my machine without root permisions, seting up SUID as > > > follows: > > > > > > -rwsrwxr-- 1 root wheel 38 Aug 27 23:12 apagar.sh > > > > > > $ ./apagar.sh > > > > > > Permission denied > > > > > > content of script: > > > > > > cat apagar.sh > > > > > > ]#!/usr/local/bin/bash > > > shutdown -p now > > > > > > As far as i know, using SUID, script must runs with root > > > permissions... so i shoudnt get "Permission denied", what im doing > > > wrong?? > > > > No it must not. There are security reasons why shell scripts are not > > setuid-capable. You can find some of them in the archives of the > > mailing list, going back at least until 1997. > > > > The good thing is that you don't need a shell script to do that. You > > can install `sudo' and give permission to the specific user to run: > > > > sudo shutdown -p now > > so SUID can be applied to sh but it doesn't work!, there is not anyway > to apply it? apart from installing sudo?, The thing is that installing > sudo and adding that user into sudoers, that user will be capable to do > any other SU tasks, apart of shutting down... wich i dont like :D (I > know that SUID could be even worst if they edit the .sh file... but lets > believe they dont even know that XD) Please refrain from top-posting. It's both confusing and inconsiderate for anyone trying to read what you write or otherwise trying follow a discussion. First, as has already been pointed out, your approach is A Really Bad Idea and will lead nowhere so forget it. Second, you're misunderstanding sudo. From sudo(8): sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. Note the "as specified". For example, if the sudoers file contains nothing but john ALL= NOPASSWD: /usr/sbin/shutdown then John (and only John) can use sudo to execute /usr/sbin/shutdown, but can't use sudo to execute any other commands. As an alternative to installing sudo, you can add your user to the operator group: pw groupmod operator -m john but be sure to understand the ramifications before doing so. -- George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090828105848.GA4410>