Permissions Problem

Permissions Problem

Post by Michael D. Kirkpatric » Wed, 18 Oct 2000 04:00:00



I wrote a script that needs to be ran by a not root user.  The script
calls a simple root command:

SCRIPT:

#!/bin/sh
ipchains -L

I gave it the permission of 5555.
When it is ran by my non root account, I get this message:
ipchains: Permission denied (you must be root)

Is there a way to get my script to take on the role of root to execute
this simple command?

I can do it with perl, but I don't want to use perl.

As for security, the system that I am using, I am the only person with
permission to even access it.

Thanks in advance

 
 
 

Permissions Problem

Post by Tim Hayne » Wed, 18 Oct 2000 04:00:00



Quote:> #!/bin/sh
[snip]
> I gave it the permission of 5555.
> When it is ran by my non root account, I get this message:
> ipchains: Permission denied (you must be root)

You can't do that. You don't really want to do that, setuid on scripts
would be Bad, therefore we don't do it. You should investigate `sudo' or
`super' or something similar instead.

~Tim
--

(seen mid-windows 98 installation)              | http://piglet.is.dreaming.org

 
 
 

Permissions Problem

Post by Michael D. Kirkpatric » Wed, 18 Oct 2000 04:00:00


This is being ran on a secure server.  So security of the script is not important.
No one else then I has access to the machine locally or remotely.  I hava apache
installed and I don't feel like recompiling it to access the scripts as root.root.
No one else even has access to the apache side of the server either.  To be honest,
this is my firewall and I am trying to make a web interface to look at certain
stats and make minor modifications (ie: start/stop services, etc...).  So security
is not an issue here.  I have been beeting myself up over trying to get this damn
script to work for the last 5 days now.  If you can give me some insight on how to
get it to work, it would be greatly appreciated.

If I have to, I will recompile apache to use root.root as it's user.  I would
prefer not doing that since I may run a simple web site from it some time in the
future.

Thanks in advance.



> > #!/bin/sh
> [snip]
> > I gave it the permission of 5555.
> > When it is ran by my non root account, I get this message:
> > ipchains: Permission denied (you must be root)

> You can't do that. You don't really want to do that, setuid on scripts
> would be Bad, therefore we don't do it. You should investigate `sudo' or
> `super' or something similar instead.

> ~Tim
> --

> (seen mid-windows 98 installation)              | http://piglet.is.dreaming.org

 
 
 

Permissions Problem

Post by Tim Hayne » Wed, 18 Oct 2000 04:00:00



with line-wrapping problems:

Quote:> This is being ran on a secure server. So security of the script is not
> important. No one else then I has access to the machine locally or
> remotely. I hava apache installed and I don't feel like recompiling it to
> access the scripts as root.root. No one else even has access to the
> apache side of the server either. To be honest, this is my firewall

I thought you said something about it being a `secure server'??

Quote:> and I am trying to make a web interface to look at certain stats and make
> minor modifications (ie: start/stop services, etc...). So security is not
> an issue here. I have been beeting myself up over trying to get this damn
> script to work for the last 5 days now. If you can give me some insight
> on how to get it to work, it would be greatly appreciated.

Well if you want to patch the kernel to make it run scripts setuid, feel
free. Just don't submit it to the kernel mailling list.

Quote:> If I have to, I will recompile apache to use root.root as it's user. I
> would prefer not doing that since I may run a simple web site from it
> some time in the future.

Why recompile anything? I've already said, USE SUDO. USE SUPER. Go figure.

~Tim
--

The apple must fall to the ground               | http://piglet.is.dreaming.org

 
 
 

Permissions Problem

Post by Michael D. Kirkpatric » Wed, 18 Oct 2000 04:00:00


> Why recompile anything? I've already said, USE SUDO. USE SUPER. Go figure.

> ~Tim
> --

> The apple must fall to the ground               | http://piglet.is.dreaming.org

I just looked for USE SUDO and USE SUPER.  I can not find any entries on how to do
that.  Can you please give me sone insight on how to accomplish this, it would be
greatly appreciated.

Thanks.

 
 
 

Permissions Problem

Post by Dim » Wed, 18 Oct 2000 04:00:00



>> Why recompile anything? I've already said, USE SUDO. USE SUPER. Go figure.

>> ~Tim
>> --

>> The apple must fall to the ground               | http://piglet.is.dreaming.org

>I just looked for USE SUDO and USE SUPER.  I can not find any entries on how to do
>that.  Can you please give me sone insight on how to accomplish this, it would be
>greatly appreciated.

"Use" is what you're supposed do, "sudo" and/or "super" are
what you're supposed to use. HTH.

Dima (oh, try 'man su' for starters)
--
dmaziuk at crosswinds dot net
-----------------------------
I'm not crazy. I've just been in a very bad mood for 30 years.

 
 
 

Permissions Problem

Post by Michael Erskin » Wed, 18 Oct 2000 04:00:00


Quote:> You can't do that. You don't really want to do that, setuid on scripts
> would be Bad, therefore we don't do it. You should investigate `sudo' or
> `super' or something similar instead.

Tim;
Hey! Talk with me about why SUID scripts are bad.  I use them from time
to time and if I am making a mistake, I need to know.
-m-

--
      Nothing astonishes men so much as common sense and plain dealing.

 
 
 

Permissions Problem

Post by Tim Hayne » Thu, 19 Oct 2000 04:00:00



> > You can't do that. You don't really want to do that, setuid on scripts
> > would be Bad, therefore we don't do it. You should investigate `sudo'
> > or `super' or something similar instead.

> Tim;
> Hey! Talk with me about why SUID scripts are bad.  I use them from time
> to time and if I am making a mistake, I need to know.

You can't be using setuid scripts unless you mean perl scripts or you've
patched the kernel. I'm talking shell scripts.

We've done the discussion as to why they're bad before now.

~Tim
--
   9:51am  up 64 days, 11:32, 10 users,  load average: 0.00, 0.01, 0.00

http://piglet.is.dreaming.org |Made of earth and salt and rain

 
 
 

Permissions Problem

Post by Michael Erskin » Thu, 19 Oct 2000 04:00:00


Quote:> You can't be using setuid scripts unless you mean perl scripts or you've
> patched the kernel. I'm talking shell scripts.

Well, I that one slipped right past me.  I see that you are correct.  I just
wrote one and the system barfed on it.

Now honestly, I expect there are a couple of people here who would just take
your word for why they have been disallowed.

Quote:

> We've done the discussion as to why they're bad before now.

I don't want to debate, just give me a one liner...

-m-
--
Hmmm, no sig?  Well there was one here.

 
 
 

Permissions Problem

Post by Tim Hayne » Fri, 20 Oct 2000 04:00:00



> > We've done the discussion as to why they're bad before now.

> I don't want to debate, just give me a one liner...

Probably the best I can dredge up is a pointer to
<http://www.tardis.ed.ac.uk/~adk/old/Virtual/Security/setuid/setuid.html>.

(Oops, 2 lines. Oh well :)

~Tim
--

Bright in the primal glow                       | http://piglet.is.dreaming.org

 
 
 

Permissions Problem

Post by Michael Erskin » Fri, 20 Oct 2000 04:00:00



> Probably the best I can dredge up is a pointer to
> <http://www.tardis.ed.ac.uk/~adk/old/Virtual/Security/setuid/setuid.html>.

Thank you, Sir!  How did I miss that...  ah, well.  I glad I have seen it now.

G'Day, Eidenburg

--
It is no measure of health to be well adjusted to a profoundly sick society.
                     J. (Jiddu) Krishnamurti

 
 
 

Permissions Problem

Post by Michael Erskin » Fri, 20 Oct 2000 04:00:00


And it is clear to me that someone was watching out for me,
and I didn't even know it.

-m-
--
You can fool some of the people all of the time and you can fool all of
the people some of the time but you can not fool all of the people all
of the time.  - A. Lincoln

 
 
 

1. Script Problems / mqueue permission problems

I am trying to run a script using a cronjob.  It used to run on another system
but since I moved to a new system (it is a Sun OS), it does not work anymore.
I am just a user on it so I have no way to change any but my own permissions.
Is there any way to fix this or is there any other way to do this?   I have
tried using elm and pine instead of mailx.  I have also tried saving the text
to a temporary file them mailing it separately in another command.  The ld.so
thing seems ok because the file shows up, it just does not get mailed.

-nyx$$ more test.news
/usr/local/bin/lynx -dump http://www.cais.net/whatnews/whatnews.html |
/bin/mailx -s "News Summary" anon52ea

-nyx$$ ls -l test.news
-rwxr-xr-x  1 anon52ea      118 Feb  8 09:44 test.news

-nyx$$ test.news
ld.so: warning: /usr/5lib/libc.so.2.7 has older revision than expected 8
(Resetting uid)
queuename: Cannot create "qf~Z16582" in "/usr/spool/mqueue": No such file
or dir

--
_____________________________________________________________________
Kerry Nice - Remove the NOSPAM from the reply address.

____________________________________________________________________

2. redhat 5.0 on toshiba 220cds

3. Permissions problem? Securing system resulted in keymap problem?

4. Modules; Red Hat 5.?; Kernel 2.2.?

5. permission problems on new disk

6. Traffic Shaping for two masqueraded interfaces?

7. Permission Problem

8. 2.2 to 2.4 migration

9. 1.3.17 permissions problem

10. Permissions problems on jdk12_pre-v2_test

11. permission problems bombing xinit for not root users

12. Setuid on shell scripts and permissions problem

13. Slackware distribution has permission problems.