1 |
ABCD wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA1 |
4 |
> |
5 |
> Hinko Kocevar wrote: |
6 |
>> Hi, |
7 |
>> |
8 |
>> I'm trying to touch a file in /sbin during boot time |
9 |
>> and would like to do that with a normal user by running |
10 |
>> SUIDed shell script. |
11 |
>> I have following script: |
12 |
>> hinkok@alala /tmp $ cat test.sh |
13 |
>> #!/bin/sh |
14 |
>> |
15 |
>> touch /sbin/foo.bar |
16 |
>> exit $? |
17 |
>> |
18 |
>> hinkok@alala /tmp $ sudo chmod +x test.sh |
19 |
>> hinkok@alala /tmp $ sudo chown root:root test.sh |
20 |
>> hinkok@alala /tmp $ sudo chmod +s test.sh |
21 |
>> hinkok@alala /tmp $ ls -l test.sh |
22 |
>> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh |
23 |
>> hinkok@alala /tmp $ sh -x test.sh |
24 |
>> + touch /sbin/foo.bar |
25 |
>> touch: cannot touch `/sbin/foo.bar': Permission denied |
26 |
>> |
27 |
>> Can somebody help me with that? |
28 |
>> |
29 |
>> Thank you! |
30 |
>> |
31 |
>> Best regards, |
32 |
>> Hinko |
33 |
> |
34 |
> Linux does not support s[ug]id scripts, however, you can emulate the |
35 |
|
36 |
Hmm, I was not aware of that.. |
37 |
|
38 |
> effect of it using sudo - in your shell script, do the following: |
39 |
> |
40 |
> #!/bin/sh |
41 |
> [ $(id -u) -ne 0 ] && exec sudo "$0" "$@" |
42 |
> |
43 |
> # put the rest of the script here |
44 |
> |
45 |
> and add a line to /etc/sudoers that reads: |
46 |
> |
47 |
> ALL ALL=NOPASSWD: /path/to/script |
48 |
> |
49 |
> This will allow any user (the first "ALL") from any host (the second |
50 |
> "ALL") to run /path/to/script as root:root without any authentication, |
51 |
> by simply calling /path/to/script (or just "script", if it happens to be |
52 |
> in the $PATH). |
53 |
> |
54 |
> NB - I havn't actually tried this recently, so I might be wrong on some |
55 |
> of the specifics, but the general idea should hold. |
56 |
> |
57 |
> Also, if you want to restrict *who* can run the script, you can change |
58 |
> the first "ALL" to something else, see sudoers(5) for details - also you |
59 |
> can restrict *where* it can be run by changing the second "ALL". |
60 |
> |
61 |
> If you want to make the user enter *their own* password, remove the |
62 |
> "NOPASSWD:". If you want to make the user enter *root's* password, read |
63 |
> the man page - I don't remember the option, but I know there is one. |
64 |
> |
65 |
|
66 |
Thanks for detailed info! |
67 |
|
68 |
Best regards, |
69 |
Hinko |
70 |
|
71 |
-- |
72 |
Hinko Kočevar, OSS developer |
73 |
ČETRTA POT, d.o.o. |
74 |
Planina 3, 4000 Kranj, SI EU |
75 |
tel ++386 (0) 4 280 66 03 |
76 |
e-mail hinko.kocevar@×××××××××.si |
77 |
http www.cetrtapot.si |