[NTLUG:Discuss] SETUID on Shell Scripts Question

Jay F. Cox baa204 at saturn.angelo.edu
Mon Apr 3 02:01:23 CDT 2000 

Mike Owens wrote:
> 
> This is an embarassing question, but I evidently am not getting it. I
> have a simple shell script which I have setuid to root. All it does it
> take md5 sums on everything in /usr/bin. Yet when I run it as a plain
> old user, I get "permission denied" on the binaries which don't have
> group or user read permissions.
> 
> Why is the happening? If I run it as root---no problem. I thought suid
> was supposed to make it execute as root (assuming it is owned by root).
> I read in the bash man pages to use the -p switch as well. Still, no
> avail.
> 
> I guess my shell is executing the script, and thus using its uid and
> guid. How do I set permissions such that this won't happen?

You cant run suid root scripts in linux.  They'll just execute like
any other script.

If anything you have to use a suidroot binary wrapper to execute your 
script for you.  That or get a utility that would write it.  I've made
 one if you are interested (its only half written though, supposed to 
make wrappers which may further set ulimits etc but I got bored with 
that project or something, and definitly needs a rewrite anyway),
and since it is just text subsitution, I'm quite sure there should be
a utility thats better that could do the same or better.  I know
I have seen wrapper makers for cgi scripts on freshmeat.

actually, I think this (the following) is all you need.

#include<errno.h>
#include<unistd.h>
int main (int argc, char **argv) {
     execv("--EXEC--",argv);
     return errno;  /* if execv fails */
}

where --EXEC-- is the full path and name to the executable.  compile
that with gcc, set the proper permissions on the executable,  and let 
run.  however, you might want further restrictions, like to make sure
the permissions and or ownership on the script are set correctly,
restrict who runs the binary, etc.  for that, if you arent a C 
programmer (or familiar with the functions to do the stuff) I guess
look around for something that'll produce a wrapper for you or hire 
a programmer who is familiar with that stuff.


Jay Cox
--
He who is in love with himself has at least this advantage -- he won't
encounter many rivals.
		-- Georg Lichtenberg, "Aphorisms"

More information about the Discuss mailing list