running a script as the owner - admin bit - chmod 6774 - HP UX

This is a discussion on running a script as the owner - admin bit - chmod 6774 - HP UX ; New to unix scripting. I've heard there is a way, by changing the Admin bit on a script, that the script can be forced to run as the file's owner. Is this true - I've tested it and it did ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: running a script as the owner - admin bit - chmod 6774

  1. running a script as the owner - admin bit - chmod 6774

    New to unix scripting.

    I've heard there is a way, by changing the Admin bit on a script, that
    the script can be forced to run as the file's owner. Is this true -
    I've tested it and it did not work:

    I do a chmod 6774 of a shell script as file's owner, then as a user
    with execute and read to the file I run it. A ps -ef does not show the
    script running as the owner.

    $ ll adm*.*
    -rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh

    tried running as a user in group dev

    Thanks in advance.


  2. Re: running a script as the owner - admin bit - chmod 6774

    On 2005-06-22, jason@cyberpine.com wrote:

    > I've heard there is a way, by changing the Admin bit on a script, that
    > the script can be forced to run as the file's owner. Is this true -
    > I've tested it and it did not work:
    >
    > I do a chmod 6774 of a shell script as file's owner, then as a user
    > with execute and read to the file I run it. A ps -ef does not show the
    > script running as the owner.
    >
    > $ ll adm*.*
    > -rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh
    >
    > tried running as a user in group dev


    "setuid bit" is the name.

    It's somewhat OS-dependent and shell-dependent but should be used only
    on executables, not on scripts either because the OS won't support them
    or because it's unsafe.

    With HP-UX 10.20 if there was a setuid script you wanted to exploit you could
    make a symlink to it and execute that. Then while it was starting up replace
    it with something else and that would get run as the original owner - maybe
    root. There are other problem areas too - such as the environment.

    AFAIK HP-UX 11 is one of the ones that doesn't support setuid scripts
    but someone round here will know for sure.

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/
    Powergen write "Why not stay with us" - let me count the ways!

  3. Re: running a script as the owner - admin bit - chmod 6774

    all mail refused wrote:
    > On 2005-06-22, jason@cyberpine.com wrote:
    >
    >
    >>I've heard there is a way, by changing the Admin bit on a script, that
    >>the script can be forced to run as the file's owner. Is this true -
    >>I've tested it and it did not work:
    >>
    >>I do a chmod 6774 of a shell script as file's owner, then as a user
    >>with execute and read to the file I run it. A ps -ef does not show the
    >>script running as the owner.
    >>
    >>$ ll adm*.*
    >>-rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh
    >>
    >>tried running as a user in group dev

    >
    >
    > "setuid bit" is the name.
    >
    > It's somewhat OS-dependent and shell-dependent but should be used only
    > on executables, not on scripts either because the OS won't support them
    > or because it's unsafe.
    >
    > With HP-UX 10.20 if there was a setuid script you wanted to exploit you could
    > make a symlink to it and execute that. Then while it was starting up replace
    > it with something else and that would get run as the original owner - maybe
    > root. There are other problem areas too - such as the environment.
    >
    > AFAIK HP-UX 11 is one of the ones that doesn't support setuid scripts
    > but someone round here will know for sure.
    >

    Unfortunately you can still use suid scripts in 11, but you can not
    symlink to unowned files AFAIK, there have been patches to correct that
    issue. Suid is a no no, security 101. use sudo or something of that sort.

  4. Re: running a script as the owner - admin bit - chmod 6774

    Hey;

    On 2005-06-22, jason@cyberpine.com wrote:
    >
    > New to unix scripting.
    >
    > I've heard there is a way, by changing the Admin bit on a script, that
    > the script can be forced to run as the file's owner. Is this true -
    > I've tested it and it did not work:
    >
    > I do a chmod 6774 of a shell script as file's owner, then as a user
    > with execute and read to the file I run it. A ps -ef does not show the
    > script running as the owner.
    >
    > $ ll adm*.*
    > -rwsrwsr-- 1 cvs dev 38 Jun 14 11:10 adminbit.sh
    >
    > tried running as a user in group dev


    To reiterate and expand on what others have said:

    You can run suid scripts if you have a #! as the first line of
    your script - as in #!/bin/ksh or #!/bin/sh, whichever shell you
    want to use.

    Unless you know what you're doing, and probably even then, suid
    scripts are a real big security hole. Since you're new to scripting
    I would strongly suggest that you don't use them.

    sudo is probably the easiest way to do what it sounds like you want.
    After sudo's installed and configured, the command to run your script
    would look like:

    sudo /usr/local/bin/script

    It'll ask for the caller's password, then run the script as configured
    in the sudoers file.

    Another option, if you don't want to type passwords is to set up
    ssh and public key authentication. That's a bit more involved;
    however, it does give the benefits of two-factor authentication.

    HTH;

    Doug

    --

    --------
    Senior UNIX Admin
    O'Leary Computer Enterprises
    dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
    resume: http://home.comcast.net/~dkoleary/resume.html

+ Reply to Thread