set user-id

Gerald S. Stoller gs_stoller at hotmail.com
Wed Jul 23 15:32:52 PDT 2003 



>From: Dan Nelson <dnelson at allantgroup.com>
>To: "Gerald S. Stoller" <gs_stoller at hotmail.com>
>CC: ryan at sasknow.com, vze25pmf at verizon.net, freebsd-questions at freebsd.org
>Subject: Re: set user-id
>Date: Wed, 23 Jul 2003 14:23:05 -0500
>
>In the last episode (Jul 23), Gerald S. Stoller said:
> >
> >
> >
> > >From: Dan Nelson <dnelson at allantgroup.com>
> > >To: Ryan Thompson <ryan at sasknow.com>
> > >CC: "Gerald S. Stoller" <gs_stoller at hotmail.com>, vze25pmf at verizon.net,
> > >FreeBSD Questions <freebsd-questions at freebsd.org>
> > >Subject: Re: set user-id
> > >Date: Tue, 22 Jul 2003 14:37:29 -0500
> > >
> > >In the last episode (Jul 22), Ryan Thompson said:
> > >> If you *really* want to have suid scripts, your binary wrapper idea 
>is
> > >> quite a common trick. Don't get fancy with it, though. A one-liner to
> > >> execve(2) should really be all you need. Either that, or re-code the
> > >> whole thing in C (or some other compiled language). C can introduce
> > >> insecurities of its own, but at least you'd (arguably) have put them
> > >> there yourself. :-)
> > >
> > >I use sudo for stuff like this.  I add a line like this in sudoers:
> > >
> >    I don't understand the next line!
> > >ALL             ALL = NOPASSWD: /usr/local/bin/thescript
> >  ???             Setting a variable??     Okay, invoking the script
>
>The sudoers file has a really weird syntax, but what that means is that
>any user (the first ALL keyword) may run "thescript" as root on any
>machine (the second ALL keyword; this allows the same file to be
>replicated to multiple machines) without a password prompt (the
>NOPASSWD: keyword).
>
> > >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> > with a slight change, I copied  ksh  to  /bin  with the name  kshroot ,
> > made sure
> > that the group on it is the group of  root , and then did
> >                  chmod 4750  /bin/kshroot
> > Thus only the users who are 'close to' root (e.g., generally users who 
>have
> > the
> > root  password so they can become  root  if necessary) can run this 
>shell
> > whenever
> > they need to act as  root , and can use it in scripts (first line:
> > #!/bin/kshroot).  Again
> > note that these scripts can only be invoked by users who are 'close to'
> > root.  For the
> > other users, I'd have to use a sudo.
>
>That will work, too.
>
>--
>	Dan Nelson
>	dnelson at allantgroup.com

          Thinking about this a little more, let's think of these scripts as 
being text that is to be interpreted and specifies its interpretor somehow 
(say as the scripts do, on the first line with '#!' and then a path to the 
interpretor).  When such a file has set user-id on, the user-id of the file 
is put on its interpretor (similar action for the group-id) and then the 
interpretor is run.  This is probably just a small change in the kernel and 
should make things run smoothly.  [What module of the kernel takes care of:
   1)    determining if a file (about to be invoked) has set user-id on,
   2)    making the user-id of the file the effecive user-id of the process,
   3)    accepting from a shell an instruction as to which shell to use to 
interpret a script file]
I may try ro do this on my own if these three questions are answered (and 
maybe some others, I notice that the source code is sparse on comments and 
directions as to what purpose structures are used, so I may not get enough 
info to do this just from these questions).

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus

More information about the freebsd-questions mailing list