[NTLUG:Discuss] SETUID on Shell Scripts Question

Mike Owens owensmk at earthlink.net
Mon Apr 3 08:06:28 CDT 2000 

Thanks. I didn't know about the suid restriction in Linux. And I did
ultimately want to run it as a cron job, which according to the man
pages did seem like that would be possible---that cron will change its
its effective uid to that of the file to run. I will try both though.
Thanks again for the help.

"Jay F. Cox" wrote:
> 
> Mike Owens wrote:
> >
> > This is an embarassing question, but I evidently am not getting it. I
> > have a simple shell script which I have setuid to root. All it does it
> > take md5 sums on everything in /usr/bin. Yet when I run it as a plain
> > old user, I get "permission denied" on the binaries which don't have
> > group or user read permissions.
> >
> > Why is the happening? If I run it as root---no problem. I thought suid
> > was supposed to make it execute as root (assuming it is owned by root).
> > I read in the bash man pages to use the -p switch as well. Still, no
> > avail.
> >
> > I guess my shell is executing the script, and thus using its uid and
> > guid. How do I set permissions such that this won't happen?
> 
> You cant run suid root scripts in linux.  They'll just execute like
> any other script.
> 
> If anything you have to use a suidroot binary wrapper to execute your
> script for you.  That or get a utility that would write it.  I've made
>  one if you are interested (its only half written though, supposed to
> make wrappers which may further set ulimits etc but I got bored with
> that project or something, and definitly needs a rewrite anyway),
> and since it is just text subsitution, I'm quite sure there should be
> a utility thats better that could do the same or better.  I know
> I have seen wrapper makers for cgi scripts on freshmeat.
> 
> actually, I think this (the following) is all you need.
> 
> #include<errno.h>
> #include<unistd.h>
> int main (int argc, char **argv) {
>      execv("--EXEC--",argv);
>      return errno;  /* if execv fails */
> }
> 
> where --EXEC-- is the full path and name to the executable.  compile
> that with gcc, set the proper permissions on the executable,  and let
> run.  however, you might want further restrictions, like to make sure
> the permissions and or ownership on the script are set correctly,
> restrict who runs the binary, etc.  for that, if you arent a C
> programmer (or familiar with the functions to do the stuff) I guess
> look around for something that'll produce a wrapper for you or hire
> a programmer who is familiar with that stuff.
> 
> Jay Cox
> --
> He who is in love with himself has at least this advantage -- he won't
> encounter many rivals.
>                 -- Georg Lichtenberg, "Aphorisms"
> 
> _______________________________________________
> http://ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list