set user-id

Gerald S. Stoller gs_stoller at hotmail.com
Wed Jul 23 11:58:00 PDT 2003 



>From: Dan Nelson <dnelson at allantgroup.com>
>To: Ryan Thompson <ryan at sasknow.com>
>CC: "Gerald S. Stoller" <gs_stoller at hotmail.com>, vze25pmf at verizon.net,   
>FreeBSD Questions <freebsd-questions at freebsd.org>
>Subject: Re: set user-id
>Date: Tue, 22 Jul 2003 14:37:29 -0500
>
>In the last episode (Jul 22), Ryan Thompson said:
> > If you *really* want to have suid scripts, your binary wrapper idea is
> > quite a common trick. Don't get fancy with it, though. A one-liner to
> > execve(2) should really be all you need. Either that, or re-code the
> > whole thing in C (or some other compiled language). C can introduce
> > insecurities of its own, but at least you'd (arguably) have put them
> > there yourself. :-)
>
>I use sudo for stuff like this.  I add a line like this in sudoers:
>
    I don't understand the next line!
>ALL             ALL = NOPASSWD: /usr/local/bin/thescript
  ???             Setting a variable??     Okay, invoking the script
>
>and put this it the top of thescript:
>
>#! /bin/sh
>if [ $(id -u) -ne 0 ] ; then
>   if [ "$TRYINGSUDO" = "1" ] ; then
>     echo "Cannot get admin priviledges!  Exiting"
>     exit 1
>   else
>     export TRYINGSUDO=1
>     exec sudo $0 "$@"
>   fi
>fi
>
>--
>	Dan Nelson
>	dnelson at allantgroup.com

        I tried a suggestion by Ryan (slipping in something from his email)
>>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
with a slight change, I copied  ksh  to  /bin  with the name  kshroot , made 
sure
that the group on it is the group of  root , and then did
                  chmod 4750  /bin/kshroot
Thus only the users who are 'close to' root (e.g., generally users who have 
the
root  password so they can become  root  if necessary) can run this shell 
whenever
they need to act as  root , and can use it in scripts (first line: 
#!/bin/kshroot).  Again
note that these scripts can only be invoked by users who are 'close to' 
root.  For the
other users, I'd have to use a sudo.

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus

More information about the freebsd-questions mailing list