minimize use of root account
Ian Smith
smithi at nimnet.asn.au
Sat Feb 20 13:48:35 UTC 2016
In freebsd-questions Digest, Vol 611, Issue 6, Message: 6
On Fri, 19 Feb 2016 22:11:11 +0100 Polytropon <freebsd at edvax.de> wrote:
> On Fri, 19 Feb 2016 14:52:53 +0000, Arthur Chance wrote:
> > On 19/02/2016 11:05, Polytropon wrote:
> > > On Fri, 19 Feb 2016 16:29:43 +1100, Yudi V wrote:
> > >> Hi all,
> > >>
> > >> currently I use the below script to load geli devices and import zpool. It
> > >> needs to be run as root.
> > >> how to run this script as normal user, is there a group that the user needs
> > >> to be part of?
> > >
> > > No, not for this task.
> > >
> > > There are different ways to do it.
> > >
> > > 1. You can set the script itself to "run as root" (chmod +s) when
> > > the script is owned by root:root. Regular users may then execute it.
> >
> > I thought suid scripts were disabled years ago because they were a major
> > security loophole?
>
> You're right - it's the case.
>
> % ll root_test.sh
> -rwsr-sr-x 1 poly poly 24 2016-02-19 19:25:20 root_test.sh*
I suppose you tried it with the script owned by root? Your example is
owned by yourself, and I hope you wouldn't expect to get root access by
running a script you'd set suid to yourself? :)
I did try with and without sgid also, to confirm it won't work, even
when blessed by root:
smithi at x200:~ % ll root_test.sh
-rwsr-sr-- 1 root wheel 24 Feb 21 00:05 root_test.sh
> % cat root_test.sh
> #!/bin/sh
> id -u
> whoami
>
> % ./root_test.sh
> 2000
> poly
>
> % sudo ./root_test.sh
> 0
> root
>
> I think this is fully intended.
Same here. I feel safer knowing suid root won't work, and thanks also
to Matthew for confirmation that even fdescfs doesn't enable that, so
it's still a 'reliable myth'.
cheers, Ian
More information about the freebsd-questions
mailing list