Very Computer

by **khollo** » Tue, 24 Aug 2004 18:20:16

Hi all.

I am calling a BASH script from a php program to change a user's
password on a Linux system.

Basically the php program writes the username and password to a file
called /tmp/chpasswd in the format "user:password" and then executes a
BASH script called chpasswd.sh which looks like this:

=====================================================================

#!/bin/bash

grep root /tmp/chpasswd

if [ "$?" -eq "0" ]
then
exit 1
else
/usr/sbin/chpasswd /tmp/chpasswd
fi

=====================================================================

It is a simple script and it works if I run it as root from the shell.
Now the problem I have is to get it to work when it is executed from
the php.
I have set the permissions and ownership like this:

-rwsr-xr-x 1 root www 127 Aug 23 09:11 chpasswd.sh

SO if I understand it correctly, the script should run with the UID of
root no matter which user runs it. However, when I try to execute it as
a non root user, I get this error:

Cannot lock password file: already locked.
chpasswd: line 1: cannot update password entry
chpasswd: errors occured, 1 passwords not updated

And runing it from the php just fails.

Any ideas?

THanks

--
kholloi
------------------------------------------------------------------------
Posted via http://www.codecomments.com
------------------------------------------------------------------------

by **Stachu 'Dozzie' K** » Tue, 24 Aug 2004 22:14:36

[...]

Quote:> It is a simple script and it works if I run it as root from the shell.
> Now the problem I have is to get it to work when it is executed from
> the php.
> I have set the permissions and ownership like this:

> -rwsr-xr-x 1 root www 127 Aug 23 09:11 chpasswd.sh

> SO if I understand it correctly, the script should run with the UID of
> root no matter which user runs it. However, when I try to execute it as
> a non root user, I get this error:

No, you understand it incorrectly. SUID bit *never* affects scripts,
only binaries (it's small simplification, try searching for suid-perl).
It's security reason.

Try writting simple C program doing the same thing or even execing this
script (necessarily with *full path* to script!).

--
Stanislaw Klekot

by **Kevin Rodger** » Wed, 25 Aug 2004 02:14:07

> No, you understand it incorrectly. SUID bit *never* affects scripts,
> only binaries (it's small simplification, try searching for suid-perl).

That must depend on the OS, as I've used setuid and setgid scripts
successfully (on SunOS/Solaris). But they were not owned by root.

> It's security reason.

I don't think setuid scripts are a security issue in general, just
setuid root scripts.

--
Kevin Rodgers

by **Stachu 'Dozzie' K** » Wed, 25 Aug 2004 21:38:43

> > No, you understand it incorrectly. SUID bit *never* affects scripts,
> > only binaries (it's small simplification, try searching for suid-perl).

> That must depend on the OS, as I've used setuid and setgid scripts
> successfully (on SunOS/Solaris). But they were not owned by root.

Heh, good to know. Thanks.

Quote:> > It's security reason.

> I don't think setuid scripts are a security issue in general, just
> setuid root scripts.

I agree. All setuid executable files are a potential security risk, even
"stupid" ping.

--
Stanislaw Klekot