Gentoo Archives: gentoo-user

From: ABCD <en.ABCD@×××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Re: SUID
Date: Mon, 02 Mar 2009 08:51:11
Message-Id: gog6l3$mpf$1@ger.gmane.org
In Reply to: [gentoo-user] SUID by Hinko Kocevar
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 Hinko Kocevar wrote:
5 > Hi,
6 >
7 > I'm trying to touch a file in /sbin during boot time
8 > and would like to do that with a normal user by running
9 > SUIDed shell script.
10 > I have following script:
11 > hinkok@alala /tmp $ cat test.sh
12 > #!/bin/sh
13 >
14 > touch /sbin/foo.bar
15 > exit $?
16 >
17 > hinkok@alala /tmp $ sudo chmod +x test.sh
18 > hinkok@alala /tmp $ sudo chown root:root test.sh
19 > hinkok@alala /tmp $ sudo chmod +s test.sh
20 > hinkok@alala /tmp $ ls -l test.sh
21 > -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
22 > hinkok@alala /tmp $ sh -x test.sh
23 > + touch /sbin/foo.bar
24 > touch: cannot touch `/sbin/foo.bar': Permission denied
25 >
26 > Can somebody help me with that?
27 >
28 > Thank you!
29 >
30 > Best regards,
31 > Hinko
32
33 Linux does not support s[ug]id scripts, however, you can emulate the
34 effect of it using sudo - in your shell script, do the following:
35
36 #!/bin/sh
37 [ $(id -u) -ne 0 ] && exec sudo "$0" "$@"
38
39 # put the rest of the script here
40
41 and add a line to /etc/sudoers that reads:
42
43 ALL ALL=NOPASSWD: /path/to/script
44
45 This will allow any user (the first "ALL") from any host (the second
46 "ALL") to run /path/to/script as root:root without any authentication,
47 by simply calling /path/to/script (or just "script", if it happens to be
48 in the $PATH).
49
50 NB - I havn't actually tried this recently, so I might be wrong on some
51 of the specifics, but the general idea should hold.
52
53 Also, if you want to restrict *who* can run the script, you can change
54 the first "ALL" to something else, see sudoers(5) for details - also you
55 can restrict *where* it can be run by changing the second "ALL".
56
57 If you want to make the user enter *their own* password, remove the
58 "NOPASSWD:". If you want to make the user enter *root's* password, read
59 the man page - I don't remember the option, but I know there is one.
60
61 - --
62 ABCD
63 -----BEGIN PGP SIGNATURE-----
64 Version: GnuPG v2.0.10 (GNU/Linux)
65 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
66
67 iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF
68 DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB
69 =NE1x
70 -----END PGP SIGNATURE-----

Replies

Subject Author
Re: [gentoo-user] Re: SUID Hinko Kocevar <hinko.kocevar@×××××××××.si>