rob@sparky.HAC.COM (Rob Henderson) (10/07/88)
Greetings, I give up!! This problem has gotten the best of me so I am turning to the net for help. FYI, I'm running SunOS 3.4 on a Sun 3/260. I have set up the following two accounts: dummy::0:1:dummy:/:/usr/local/bin/dummy_account fixdrip::0:1:fixdrip:/:/usr/local/bin/fixdrip_account The login scripts (dummy_account and fixdrip_account) run another script (/sparky/rob/tmp/script.sh), which works for the dummy account but bombs with "restricted" messages for the fixdrip account. The problem should be clear after you read the following: =========================================== Script started on Thu Oct 6 17:52:32 1988 % egrep "dummy|fixdrip" /etc/passwd dummy::0:1:dummy:/:/usr/local/bin/dummy_account fixdrip::0:1:fixdrip:/:/usr/local/bin/fixdrip_account % cd /usr/local/bin % cat dummy_account #! /bin/sh -f /sparky/rob/tmp/script.sh % cat fixdrip_account #! /bin/sh -f /sparky/rob/tmp/script.sh % diff dummy_account fixdrip_account % ls -lg dummy_account fixdrip_account -rwxr--r-- 1 root wheel 40 Oct 6 17:51 dummy_account -rwxr--r-- 1 root wheel 40 Oct 6 17:51 fixdrip_account % cat /sparky/rob/tmp/script.sh #! /bin/sh -f echo The sh script worked % su dummy The sh script worked % su fixdrip /usr/local/bin/fixdrip_account: /sparky/rob/tmp/script.sh: restricted % exit script done on Thu Oct 6 17:54:02 1988 =========================================== My questions are: 1. What does the "restricted" message mean? 2. Why does the dummy account work while the fixdrip does not? 3. On a side note, I would appreciate if someone would fill me in on the security holes I am opening by having these accounts with the same uid as root. My motivation for doing this is to give users limited access to root privileges. Thanks for the help, --Rob Henderson --- 1st Choice: rob@tcville.hac.com 2nd Choice: rgh@hac2arpa.hac.com 3rd Choice: (213) 616-4596 If all else fails: {seismo|allegra|...}!hacgate!tcville!rob
jamesa%betelgeuse@Sun.COM (James D. Allen) (10/08/88)
In article <184@tcville.HAC.COM>, rob@sparky.HAC.COM (Rob Henderson) writes: > /usr/local/bin/fixdrip_account: /sparky/rob/tmp/script.sh: restricted [ refer to original article for detailed description of problem] The problem is that /bin/sh has chosen to become "restricted". It did this, believe it or not, because of the 'r' in "fixdrip_account". This is in TFM, although the injunction RTFM would seem rude given the peculiar character of this feature. If you regard this feature as a bug, you will be glad to know it is "fixed in 4.0". You don't want to know what feature the 'x' activates... :-}