| 1 |
ABCD wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA1 |
| 4 |
> |
| 5 |
> Hinko Kocevar wrote: |
| 6 |
>> Hi, |
| 7 |
>> |
| 8 |
>> I'm trying to touch a file in /sbin during boot time |
| 9 |
>> and would like to do that with a normal user by running |
| 10 |
>> SUIDed shell script. |
| 11 |
>> I have following script: |
| 12 |
>> hinkok@alala /tmp $ cat test.sh |
| 13 |
>> #!/bin/sh |
| 14 |
>> |
| 15 |
>> touch /sbin/foo.bar |
| 16 |
>> exit $? |
| 17 |
>> |
| 18 |
>> hinkok@alala /tmp $ sudo chmod +x test.sh |
| 19 |
>> hinkok@alala /tmp $ sudo chown root:root test.sh |
| 20 |
>> hinkok@alala /tmp $ sudo chmod +s test.sh |
| 21 |
>> hinkok@alala /tmp $ ls -l test.sh |
| 22 |
>> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh |
| 23 |
>> hinkok@alala /tmp $ sh -x test.sh |
| 24 |
>> + touch /sbin/foo.bar |
| 25 |
>> touch: cannot touch `/sbin/foo.bar': Permission denied |
| 26 |
>> |
| 27 |
>> Can somebody help me with that? |
| 28 |
>> |
| 29 |
>> Thank you! |
| 30 |
>> |
| 31 |
>> Best regards, |
| 32 |
>> Hinko |
| 33 |
> |
| 34 |
> Linux does not support s[ug]id scripts, however, you can emulate the |
| 35 |
|
| 36 |
Hmm, I was not aware of that.. |
| 37 |
|
| 38 |
> effect of it using sudo - in your shell script, do the following: |
| 39 |
> |
| 40 |
> #!/bin/sh |
| 41 |
> [ $(id -u) -ne 0 ] && exec sudo "$0" "$@" |
| 42 |
> |
| 43 |
> # put the rest of the script here |
| 44 |
> |
| 45 |
> and add a line to /etc/sudoers that reads: |
| 46 |
> |
| 47 |
> ALL ALL=NOPASSWD: /path/to/script |
| 48 |
> |
| 49 |
> This will allow any user (the first "ALL") from any host (the second |
| 50 |
> "ALL") to run /path/to/script as root:root without any authentication, |
| 51 |
> by simply calling /path/to/script (or just "script", if it happens to be |
| 52 |
> in the $PATH). |
| 53 |
> |
| 54 |
> NB - I havn't actually tried this recently, so I might be wrong on some |
| 55 |
> of the specifics, but the general idea should hold. |
| 56 |
> |
| 57 |
> Also, if you want to restrict *who* can run the script, you can change |
| 58 |
> the first "ALL" to something else, see sudoers(5) for details - also you |
| 59 |
> can restrict *where* it can be run by changing the second "ALL". |
| 60 |
> |
| 61 |
> If you want to make the user enter *their own* password, remove the |
| 62 |
> "NOPASSWD:". If you want to make the user enter *root's* password, read |
| 63 |
> the man page - I don't remember the option, but I know there is one. |
| 64 |
> |
| 65 |
|
| 66 |
Thanks for detailed info! |
| 67 |
|
| 68 |
Best regards, |
| 69 |
Hinko |
| 70 |
|
| 71 |
-- |
| 72 |
Hinko Kočevar, OSS developer |
| 73 |
ČETRTA POT, d.o.o. |
| 74 |
Planina 3, 4000 Kranj, SI EU |
| 75 |
tel ++386 (0) 4 280 66 03 |
| 76 |
e-mail hinko.kocevar@×××××××××.si |
| 77 |
http www.cetrtapot.si |
Archives