minimize use of root account

Ian Smith smithi at nimnet.asn.au
Sat Feb 20 13:48:35 UTC 2016


In freebsd-questions Digest, Vol 611, Issue 6, Message: 6
On Fri, 19 Feb 2016 22:11:11 +0100 Polytropon <freebsd at edvax.de> wrote:
 > On Fri, 19 Feb 2016 14:52:53 +0000, Arthur Chance wrote:
 > > On 19/02/2016 11:05, Polytropon wrote:
 > > > On Fri, 19 Feb 2016 16:29:43 +1100, Yudi V wrote:
 > > >> Hi all,
 > > >>
 > > >> currently I use the below script to load geli devices and import zpool. It
 > > >> needs to be run as root.
 > > >> how to run this script as normal user, is there a group that the user needs
 > > >> to be part of?
 > > >
 > > > No, not for this task.
 > > >
 > > > There are different ways to do it.
 > > >
 > > > 1. You can set the script itself to "run as root" (chmod +s) when
 > > >     the script is owned by root:root. Regular users may then execute it.
 > > 
 > > I thought suid scripts were disabled years ago because they were a major 
 > > security loophole?
 > 
 > You're right - it's the case.
 > 
 > % ll root_test.sh 
 > -rwsr-sr-x  1 poly  poly  24 2016-02-19 19:25:20 root_test.sh*

I suppose you tried it with the script owned by root?  Your example is 
owned by yourself, and I hope you wouldn't expect to get root access by 
running a script you'd set suid to yourself? :)

I did try with and without sgid also, to confirm it won't work, even 
when blessed by root:

smithi at x200:~ % ll root_test.sh
-rwsr-sr--  1 root    wheel           24 Feb 21 00:05 root_test.sh

 > % cat root_test.sh
 > #!/bin/sh
 > id -u
 > whoami
 > 
 > % ./root_test.sh
 > 2000
 > poly
 > 
 > % sudo ./root_test.sh
 > 0
 > root
 > 
 > I think this is fully intended.

Same here.  I feel safer knowing suid root won't work, and thanks also 
to Matthew for confirmation that even fdescfs doesn't enable that, so 
it's still a 'reliable myth'.

cheers, Ian


More information about the freebsd-questions mailing list