aidan%ncl.shire@newcastle.ac.uk (Aidan Saunders) (10/20/89)
I have a script which needs to run as root and can be used by one group of users. I thought this was straightforward but it doesn't work... This is a CMC machine running System V Unix. The program prog1 is a shell script owned by root in group staff and of mode 4750 ie: -rwsr-x--- root staff prog1 I want all those in the staff group to be able to run it. When I run it (as aidan,staff), the first part of the script works OK but that doesn't need root permissions. Next, it tries to mv a file into /etc and that's where it hits problems with messages about permission denied. Apparently prog1 does not run as root. Why not ? What am I doing wrong ? ... & what do I need to do to make it work ??? Thanks, aidan ---------------------------------------------- ARPA :: a.c.g.saunders@newcastle.ac.uk UUCP :: ...!ukc!newcastle.ac.uk!a.c.g.saunders ----------------------------------------------
cpcahil@virtech.UUCP (Conor P. Cahill) (10/21/89)
In article <1989Oct19.182027.11171@newcastle.ac.uk>, aidan%ncl.shire@newcastle.ac.uk (Aidan Saunders) writes: > The program prog1 is a shell script owned by root in group staff and of > mode 4750 > ie: > -rwsr-x--- root staff prog1 Your problem is that under system V shells do not gain setuid privileges. If you relly want this to work you need to creat a small c program like the following: main() { execl("/bin/sh","sh","/etc/program",(char *) 0); exit(0); } first, move prog1 to /etc/program compile the program above, chmod 4755 it, and place it whereever prog1 was -- +-----------------------------------------------------------------------+ | Conor P. Cahill uunet!virtech!cpcahil 703-430-9247 ! | Virtual Technologies Inc., P. O. Box 876, Sterling, VA 22170 | +-----------------------------------------------------------------------+
jbayer@ispi.UUCP (Jonathan Bayer) (10/21/89)
aidan%ncl.shire@newcastle.ac.uk (Aidan Saunders) writes: >I have a script which needs to run as root and can be used by one group of >users. I thought this was straightforward but it doesn't work... >The program prog1 is a shell script owned by root in group staff and of >mode 4750 The set-uid bit does not work for shell scripts. You will have to write a small program (or grab one from the archives) that will then execute the shell script. The program will be able to use the set-uid bit, and the script that is run then will run as root. This is generally not a good idea. JB -- Jonathan Bayer Intelligent Software Products, Inc. (201) 245-5922 500 Oakwood Ave. jbayer@ispi.COM Roselle Park, NJ 07204
danl@midget.towson.edu (10/22/89)
Jonathan Bayer <jbayer@ispi.uucp> writes: >The set-uid bit does not work for shell scripts. You will have to write >a small program (or grab one from the archives) that will then execute >the shell script. The program will be able to use the set-uid bit, and >the script that is run then will run as root. This is generally not >a good idea. All of the above is quite wrong. On all of the BSD derivatives I've used set-uid does work for shell scripts. True, it doesn't work on some AT&T derivatives and you will have to use the scheme described above - a compiled program run set-uid which exec's the appropriate shell with the script as an argument. In most cases, this is a very good idea, if not the only way to do some things. True, you must think ahead to restrict the user to executing only the script you've choosen (i.e. don't use more to display since they can then fork a shell as the super-user), and make sure that the user can't replace your program with his own. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dan Gosner Internet: danl@midget.towson.edu Operations Manager DGosner@TOE.TOWSON.EDU Towson State University Bitnet: DGosner@TOWSONVX Academic Computing Towson, Maryland 21204 %% VMS pays the bills, but Unix is where my real work gets done. %% ***************************************************************************
chris@mimsy.umd.edu (Chris Torek) (10/22/89)
>Jonathan Bayer <jbayer@ispi.uucp> writes: >>The set-uid bit does not work for shell scripts. ... In article <21240@adm.BRL.MIL> danl@midget.towson.edu writes: >All of the above is quite wrong. On all of the BSD derivatives I've used >set-uid does work for shell scripts. ... On all of the BSD derivatives on which setuid scripts run setuid, all such setuid scripts are not secure. >... you must think ahead to restrict the user to executing >only the script you've choosen With the existing implementations, this is not possible. (Sorry.) You have to write at least one C program. It might be fixed in some future release. It is not impossible to fix. -- `They were supposed to be green.' In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@cs.umd.edu Path: uunet!mimsy!chris