1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Hinko Kocevar wrote: |
5 |
> Hi, |
6 |
> |
7 |
> I'm trying to touch a file in /sbin during boot time |
8 |
> and would like to do that with a normal user by running |
9 |
> SUIDed shell script. |
10 |
> I have following script: |
11 |
> hinkok@alala /tmp $ cat test.sh |
12 |
> #!/bin/sh |
13 |
> |
14 |
> touch /sbin/foo.bar |
15 |
> exit $? |
16 |
> |
17 |
> hinkok@alala /tmp $ sudo chmod +x test.sh |
18 |
> hinkok@alala /tmp $ sudo chown root:root test.sh |
19 |
> hinkok@alala /tmp $ sudo chmod +s test.sh |
20 |
> hinkok@alala /tmp $ ls -l test.sh |
21 |
> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh |
22 |
> hinkok@alala /tmp $ sh -x test.sh |
23 |
> + touch /sbin/foo.bar |
24 |
> touch: cannot touch `/sbin/foo.bar': Permission denied |
25 |
> |
26 |
> Can somebody help me with that? |
27 |
> |
28 |
> Thank you! |
29 |
> |
30 |
> Best regards, |
31 |
> Hinko |
32 |
|
33 |
Linux does not support s[ug]id scripts, however, you can emulate the |
34 |
effect of it using sudo - in your shell script, do the following: |
35 |
|
36 |
#!/bin/sh |
37 |
[ $(id -u) -ne 0 ] && exec sudo "$0" "$@" |
38 |
|
39 |
# put the rest of the script here |
40 |
|
41 |
and add a line to /etc/sudoers that reads: |
42 |
|
43 |
ALL ALL=NOPASSWD: /path/to/script |
44 |
|
45 |
This will allow any user (the first "ALL") from any host (the second |
46 |
"ALL") to run /path/to/script as root:root without any authentication, |
47 |
by simply calling /path/to/script (or just "script", if it happens to be |
48 |
in the $PATH). |
49 |
|
50 |
NB - I havn't actually tried this recently, so I might be wrong on some |
51 |
of the specifics, but the general idea should hold. |
52 |
|
53 |
Also, if you want to restrict *who* can run the script, you can change |
54 |
the first "ALL" to something else, see sudoers(5) for details - also you |
55 |
can restrict *where* it can be run by changing the second "ALL". |
56 |
|
57 |
If you want to make the user enter *their own* password, remove the |
58 |
"NOPASSWD:". If you want to make the user enter *root's* password, read |
59 |
the man page - I don't remember the option, but I know there is one. |
60 |
|
61 |
- -- |
62 |
ABCD |
63 |
-----BEGIN PGP SIGNATURE----- |
64 |
Version: GnuPG v2.0.10 (GNU/Linux) |
65 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
66 |
|
67 |
iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF |
68 |
DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB |
69 |
=NE1x |
70 |
-----END PGP SIGNATURE----- |