Very Computer

I have a small problem......

I looked in the FAQ's HOW-TOs etc, and still can't find the answer. If I missed
it in there, sorry for wasting bandwidth.

I have a shell script with SET-UID on (belonging to root), permissions appear as

     -rwsr-sr-x    1 root   root   <usual stuff>

The script is a copy straight from my Sun system, the chmod was done as per the
Sun as well.

When executed, it has the Effective UID of the caller, not of root.

Is there a security mechanism at work or have I missed something? Is there such
a difference between bash and sh?

The script is to allow a 'naive' user to clean the logs - without giving them
the root password. Any advice (either a fix or an alternate method of doing it)
would be greatly appreciated.

Andy McMullin

: I have a shell script with SET-UID on (belonging to root), permissions appear as

:      -rwsr-sr-x    1 root   root   <usual stuff>

: The script is a copy straight from my Sun system, the chmod was done as per the
: Sun as well.

Sun OS really allows this?  Ha ha!  All their files are mine!

: When executed, it has the Effective UID of the caller, not of root.

: Is there a security mechanism at work or have I missed something? Is there such
: a difference between bash and sh?

There is a rather important security mechanism at work here.

: The script is to allow a 'naive' user to clean the logs - without giving them
: the root password. Any advice (either a fix or an alternate method of doing it)
: would be greatly appreciated.

As of Unix Version 7 (and I've never played with an earlier version) the
suid bit is only effective for programs, not for scripts.

However, (I seem to recall being told not to begin paragraphs with however,
nevertheless...) all is not lost.  What you need is a program, suid root,
that runs your shell script, which is owned by root, and not writeable by
anyone else.

I offer an example of such a program here:

/************************************************************************/

/* so_sue_me.c a wholly owned property of me, mpn, unless you can find the
book I cribbed it from! */

#include <stdlib.h>

int main(void)
{
 system("/etc/testscript"); /* your script name between the quotation marks */
 return(0);

Quote:}

/************************************************************************/

cc this; chown root and chmod 4755 the result.  A script run by such a
program will think it is being run by root.

N.B. The script must have as its first line an instruction to tell the
operating system what to use to interpret it, like this:

#!/bin/sh

There is a more sophisticated way of doing this, with logging and sending
mail to root, and issuing dire warnings, while requiring the user's own
password, for which you can find code (that needs a small amount of
translation from BSD) in Nemeth, Snyder, & Seebass's "Unix System
Administration Handbook."

--

                         While I'll admit that anyone can make a mistake once,
                         to go on making the same lethal errors century after
                         century seems to me nothing short of deliberate.--V.