set user-id

[Gerald S. Stoller]

>From: Dan Nelson <dnelson at allantgroup.com>
>To: "Gerald S. Stoller" <gs_stoller at hotmail.com>
>CC: ryan at sasknow.com, vze25pmf at verizon.net, freebsd-questions at freebsd.org
>Subject: Re: set user-id
>Date: Wed, 23 Jul 2003 14:23:05 -0500
>
(snip)
> > > Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> > with a slight change, I copied  ksh  to  /bin  with the name  kshroot ,
> > made sure
> > that the group on it is the group of  root , and then did
> >                  chmod 4750  /bin/kshroot
> > Thus only the users who are 'close to' root (e.g., generally users who 
>have the
> > root  password so they can become  root  if necessary) can run this 
>shell
> > whenever they need to act as  root , and can use it in scripts (first 
>line:
> > #!/bin/kshroot).  Again
> > note that these scripts can only be invoked by users who are 'close to'
> > root.  For the other users, I'd have to use a sudo.
>
>That will work, too.
>
>--
>	Dan Nelson
>	dnelson at allantgroup.com

        I suggest that the  FreeBSD  system have an argument (or option,
if arguments are not allowed) on the kernel which will have it (when the
setuid/setgid  is on a script and the shell/interpreter is 
hallowed/sanctioned)
invoke the interpreter and express the  setuid/setgid  of the script on it,
and then have it interpret the script.  If it can’t be done this way, then 
make
the feature a configuration option at the time of building the kernel.
      Care must be taken in implementing the  setuid  feature.  As a friend 
noted:
"Suppose
	current use		is U
	/bin/prog		is setuid to P
	script		is setuid to S and begins #!/bin/prog
then the ksh command
	prog script	 	runs as P
	prog <script	runs as P
	script		runs as S
	. script		runs as U
That's the way it is on Unix systems that I use,
and the freeBSD man page seems to agree."

_________________________________________________________________
Compare Cable, DSL or Satellite plans: As low as $29.95.  
https://broadband.msn.com