set user-id
Gerald S. Stoller
gs_stoller at hotmail.com
Wed Jul 23 15:32:52 PDT 2003
>From: Dan Nelson <dnelson at allantgroup.com>
>To: "Gerald S. Stoller" <gs_stoller at hotmail.com>
>CC: ryan at sasknow.com, vze25pmf at verizon.net, freebsd-questions at freebsd.org
>Subject: Re: set user-id
>Date: Wed, 23 Jul 2003 14:23:05 -0500
>
>In the last episode (Jul 23), Gerald S. Stoller said:
> >
> >
> >
> > >From: Dan Nelson <dnelson at allantgroup.com>
> > >To: Ryan Thompson <ryan at sasknow.com>
> > >CC: "Gerald S. Stoller" <gs_stoller at hotmail.com>, vze25pmf at verizon.net,
> > >FreeBSD Questions <freebsd-questions at freebsd.org>
> > >Subject: Re: set user-id
> > >Date: Tue, 22 Jul 2003 14:37:29 -0500
> > >
> > >In the last episode (Jul 22), Ryan Thompson said:
> > >> If you *really* want to have suid scripts, your binary wrapper idea
>is
> > >> quite a common trick. Don't get fancy with it, though. A one-liner to
> > >> execve(2) should really be all you need. Either that, or re-code the
> > >> whole thing in C (or some other compiled language). C can introduce
> > >> insecurities of its own, but at least you'd (arguably) have put them
> > >> there yourself. :-)
> > >
> > >I use sudo for stuff like this. I add a line like this in sudoers:
> > >
> > I don't understand the next line!
> > >ALL ALL = NOPASSWD: /usr/local/bin/thescript
> > ??? Setting a variable?? Okay, invoking the script
>
>The sudoers file has a really weird syntax, but what that means is that
>any user (the first ALL keyword) may run "thescript" as root on any
>machine (the second ALL keyword; this allows the same file to be
>replicated to multiple machines) without a password prompt (the
>NOPASSWD: keyword).
>
> > >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> > with a slight change, I copied ksh to /bin with the name kshroot ,
> > made sure
> > that the group on it is the group of root , and then did
> > chmod 4750 /bin/kshroot
> > Thus only the users who are 'close to' root (e.g., generally users who
>have
> > the
> > root password so they can become root if necessary) can run this
>shell
> > whenever
> > they need to act as root , and can use it in scripts (first line:
> > #!/bin/kshroot). Again
> > note that these scripts can only be invoked by users who are 'close to'
> > root. For the
> > other users, I'd have to use a sudo.
>
>That will work, too.
>
>--
> Dan Nelson
> dnelson at allantgroup.com
Thinking about this a little more, let's think of these scripts as
being text that is to be interpreted and specifies its interpretor somehow
(say as the scripts do, on the first line with '#!' and then a path to the
interpretor). When such a file has set user-id on, the user-id of the file
is put on its interpretor (similar action for the group-id) and then the
interpretor is run. This is probably just a small change in the kernel and
should make things run smoothly. [What module of the kernel takes care of:
1) determining if a file (about to be invoked) has set user-id on,
2) making the user-id of the file the effecive user-id of the process,
3) accepting from a shell an instruction as to which shell to use to
interpret a script file]
I may try ro do this on my own if these three questions are answered (and
maybe some others, I notice that the source code is sparse on comments and
directions as to what purpose structures are used, so I may not get enough
info to do this just from these questions).
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
More information about the freebsd-questions
mailing list