Post by Eros Albertazz » Wed, 27 Mar 2002 20:56:50

I would like to create a script (or a program, with exec family
function? how?) to allow users to cat a file owned by root
(They are the input of jobs to be run by the OpenPBS batch system,...and
this system store them in root directory, in read for root only)

I am aware that Linux shells drop the setuid to root ( and indeed I
obtain, with such a script, a "permission denied")

What can I do?   Any hints or template?
Eros Albertazzi
CNR-IMM, Via P.Gobetti 101, 40129 Bologna, Italy  
Tel: (+39)-051-639 9179
Fax: (+39)-051-639 9216



Post by those who know me have no need of my nam » Thu, 28 Mar 2002 03:45:53

Quote:>I would like to create a script (or a program, with exec family
>function? how?) to allow users to cat a file owned by root

this (a set-uid root script) is almost always a mistake, since most
interpreters can be influenced by the environment and that can be used to
cause them to misinterpret the script, often providing local elevation to

Quote:>What can I do?   Any hints or template?

sudo can solve the problem, e.g.,

  script (which is not set-uid):

    sudo cat /root/file

  sudoers entry:

    ALL=(root) NOPASSWD: /bin/cat /root/file

bringing you boring signatures for 17 years


1. Need help with setuid() problems on 386/ix with setuid root program.

I have a program that needs to be able to do the following under ISC 386/ix
(System V R3.2):

        setuid to one of about 3 different accounts ("Account X")
        do some work under that ID.
(*)     setuid back to the ID of the person that originally ran it.
        send some mail to Account X saying what was done.

The program needs to be able to change to one of the 3 or so different
accounts, so It's made setuid root. It doesn't actually want to do its
work under uid root, so it setuid's to whichever account it needs immediately.
[ It can't setuid to ANY account, only to one of the 3 or so ].

The problem is that when the program send the mail to X, I want it to come
addressed from the person that ran the program, not from X.

According to the manual, you can setuid() to the saved-uid from exec();
but I can't get the setuid back to the persons ID to work. (*)

        Can anyone shed some insight on my problem?

/*  Greyham Stoney:                            Australia: (02) 428 6476  *

 *          "BUT THAT'S JUST A BUTTON ON A STRING, BASICLY!!!"           */

2. 2.2 release, where is it

3. Making ip-[up.down] script "setuid"

4. Upgrading Kernel, PPP?

5. setuid

6. What makes lack-of-.html-extension work in the URL?

7. Help- PING needed, not setuid root

8. Executable version number.

9. multi-users, dip and setuid security!?!?

10. Setuid on shell scripts and permissions problem

11. Very Simple Setuid Question

12. setuid vs seteuid

13. xlock is setuid root!?