Gerald S. Stoller
gs_stoller at hotmail.com
Wed Jul 23 11:58:00 PDT 2003
>From: Dan Nelson <dnelson at allantgroup.com>
>To: Ryan Thompson <ryan at sasknow.com>
>CC: "Gerald S. Stoller" <gs_stoller at hotmail.com>, vze25pmf at verizon.net,
>FreeBSD Questions <freebsd-questions at freebsd.org>
>Subject: Re: set user-id
>Date: Tue, 22 Jul 2003 14:37:29 -0500
>In the last episode (Jul 22), Ryan Thompson said:
> > If you *really* want to have suid scripts, your binary wrapper idea is
> > quite a common trick. Don't get fancy with it, though. A one-liner to
> > execve(2) should really be all you need. Either that, or re-code the
> > whole thing in C (or some other compiled language). C can introduce
> > insecurities of its own, but at least you'd (arguably) have put them
> > there yourself. :-)
>I use sudo for stuff like this. I add a line like this in sudoers:
I don't understand the next line!
>ALL ALL = NOPASSWD: /usr/local/bin/thescript
??? Setting a variable?? Okay, invoking the script
>and put this it the top of thescript:
>if [ $(id -u) -ne 0 ] ; then
> if [ "$TRYINGSUDO" = "1" ] ; then
> echo "Cannot get admin priviledges! Exiting"
> exit 1
> export TRYINGSUDO=1
> exec sudo $0 "$@"
> Dan Nelson
> dnelson at allantgroup.com
I tried a suggestion by Ryan (slipping in something from his email)
>>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
with a slight change, I copied ksh to /bin with the name kshroot , made
that the group on it is the group of root , and then did
chmod 4750 /bin/kshroot
Thus only the users who are 'close to' root (e.g., generally users who have
root password so they can become root if necessary) can run this shell
they need to act as root , and can use it in scripts (first line:
note that these scripts can only be invoked by users who are 'close to'
root. For the
other users, I'd have to use a sudo.
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
More information about the freebsd-questions