Printable View
New to unix scripting.
I've heard there is a way, by changing the Admin bit on a script, that
the script can be forced to run as the file's owner. Is this true -
I've tested it and it did not work:
I do a chmod 6774 of a shell script as file's owner, then as a user
with execute and read to the file I run it. A ps -ef does not show the
script running as the owner.
$ ll adm*.*
-rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh
tried running as a user in group dev
Thanks in advance.
On 2005-06-22, [email]jason@cyberpine.com[/email] <jason@cyberpine.com> wrote:
[color=blue]
> I've heard there is a way, by changing the Admin bit on a script, that
> the script can be forced to run as the file's owner. Is this true -
> I've tested it and it did not work:
>
> I do a chmod 6774 of a shell script as file's owner, then as a user
> with execute and read to the file I run it. A ps -ef does not show the
> script running as the owner.
>
> $ ll adm*.*
> -rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh
>
> tried running as a user in group dev[/color]
"setuid bit" is the name.
It's somewhat OS-dependent and shell-dependent but should be used only
on executables, not on scripts either because the OS won't support them
or because it's unsafe.
With HP-UX 10.20 if there was a setuid script you wanted to exploit you could
make a symlink to it and execute that. Then while it was starting up replace
it with something else and that would get run as the original owner - maybe
root. There are other problem areas too - such as the environment.
AFAIK HP-UX 11 is one of the ones that doesn't support setuid scripts
but someone round here will know for sure.
--
Elvis Notargiacomo master AT barefaced DOT cheek
[url]http://www.notatla.org.uk/goen/[/url]
Powergen write "Why not stay with us" - let me count the ways!
all mail refused wrote:[color=blue]
> On 2005-06-22, [email]jason@cyberpine.com[/email] <jason@cyberpine.com> wrote:
>
>[color=green]
>>I've heard there is a way, by changing the Admin bit on a script, that
>>the script can be forced to run as the file's owner. Is this true -
>>I've tested it and it did not work:
>>
>>I do a chmod 6774 of a shell script as file's owner, then as a user
>>with execute and read to the file I run it. A ps -ef does not show the
>>script running as the owner.
>>
>>$ ll adm*.*
>>-rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh
>>
>>tried running as a user in group dev[/color]
>
>
> "setuid bit" is the name.
>
> It's somewhat OS-dependent and shell-dependent but should be used only
> on executables, not on scripts either because the OS won't support them
> or because it's unsafe.
>
> With HP-UX 10.20 if there was a setuid script you wanted to exploit you could
> make a symlink to it and execute that. Then while it was starting up replace
> it with something else and that would get run as the original owner - maybe
> root. There are other problem areas too - such as the environment.
>
> AFAIK HP-UX 11 is one of the ones that doesn't support setuid scripts
> but someone round here will know for sure.
>[/color]
Unfortunately you can still use suid scripts in 11, but you can not
symlink to unowned files AFAIK, there have been patches to correct that
issue. Suid is a no no, security 101. use sudo or something of that sort.
Hey;
On 2005-06-22, [email]jason@cyberpine.com[/email] <jason@cyberpine.com> wrote:[color=blue]
>
> New to unix scripting.
>
> I've heard there is a way, by changing the Admin bit on a script, that
> the script can be forced to run as the file's owner. Is this true -
> I've tested it and it did not work:
>
> I do a chmod 6774 of a shell script as file's owner, then as a user
> with execute and read to the file I run it. A ps -ef does not show the
> script running as the owner.
>
> $ ll adm*.*
> -rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh
>
> tried running as a user in group dev[/color]
To reiterate and expand on what others have said:
You can run suid scripts if you have a #! as the first line of
your script - as in #!/bin/ksh or #!/bin/sh, whichever shell you
want to use.
Unless you know what you're doing, and probably even then, suid
scripts are a real big security hole. Since you're new to scripting
I would strongly suggest that you don't use them.
sudo is probably the easiest way to do what it sounds like you want.
After sudo's installed and configured, the command to run your script
would look like:
sudo /usr/local/bin/script
It'll ask for the caller's password, then run the script as configured
in the sudoers file.
Another option, if you don't want to type passwords is to set up
ssh and public key authentication. That's a bit more involved;
however, it does give the benefits of two-factor authentication.
HTH;
Doug
--
--------
Senior UNIX Admin
O'Leary Computer Enterprises
[email]dkoleary@olearycomputers.com[/email] (w) 630-904-6098 (c) 630-248-2749
resume: [url]http://home.comcast.net/~dkoleary/resume.html[/url]