Board index Unix shell

setuid

setuid

Post by Eros Albertazz » Wed, 27 Mar 2002 20:56:50



I would like to create a script (or a program, with exec family
function? how?) to allow users to cat a file owned by root
(They are the input of jobs to be run by the OpenPBS batch system,...and
this system store them in root directory, in read for root only)

I am aware that Linux shells drop the setuid to root ( and indeed I
obtain, with such a script, a "permission denied")

What can I do?   Any hints or template?
Regards.
--
Eros Albertazzi
CNR-IMM, Via P.Gobetti 101, 40129 Bologna, Italy  
Tel: (+39)-051-639 9179
Fax: (+39)-051-639 9216

 
 
 
Top

setuid

Post by those who know me have no need of my nam » Thu, 28 Mar 2002 03:45:53



Quote:>I would like to create a script (or a program, with exec family
>function? how?) to allow users to cat a file owned by root

this (a set-uid root script) is almost always a mistake, since most
interpreters can be influenced by the environment and that can be used to
cause them to misinterpret the script, often providing local elevation to
root.

Quote:>What can I do?   Any hints or template?

sudo can solve the problem, e.g.,

  script (which is not set-uid):

    #!/bin/sh
    sudo cat /root/file

  sudoers entry:

    ALL=(root) NOPASSWD: /bin/cat /root/file

--
bringing you boring signatures for 17 years

 
 
 
Top

1. Need help with setuid() problems on 386/ix with setuid root program.

I have a program that needs to be able to do the following under ISC 386/ix
(System V R3.2):

        setuid to one of about 3 different accounts ("Account X")
        do some work under that ID.
(*)     setuid back to the ID of the person that originally ran it.
        send some mail to Account X saying what was done.

The program needs to be able to change to one of the 3 or so different
accounts, so It's made setuid root. It doesn't actually want to do its
work under uid root, so it setuid's to whichever account it needs immediately.
[ It can't setuid to ANY account, only to one of the 3 or so ].

The problem is that when the program send the mail to X, I want it to come
addressed from the person that ran the program, not from X.

According to the manual, you can setuid() to the saved-uid from exec();
but I can't get the setuid back to the persons ID to work. (*)

        Can anyone shed some insight on my problem?

                                        thanks
                                                Greyham.
--
/*  Greyham Stoney:                            Australia: (02) 428 6476  *

 *          "BUT THAT'S JUST A BUTTON ON A STRING, BASICLY!!!"           */

2. 2.2 release, where is it

3. Making ip-[up.down] script "setuid"

4. Upgrading Kernel, PPP?

5. setuid

6. What makes lack-of-.html-extension work in the URL?

7. Help- PING needed, not setuid root

8. Executable version number.

9. multi-users, dip and setuid security!?!?

10. Setuid on shell scripts and permissions problem

11. Very Simple Setuid Question

12. setuid vs seteuid

13. xlock is setuid root!?


All times are UTC
Board index