set user-id

Dan Nelson dnelson at allantgroup.com
Wed Jul 23 12:23:07 PDT 2003 

In the last episode (Jul 23), Gerald S. Stoller said:
> 
> 
> 
> >From: Dan Nelson <dnelson at allantgroup.com>
> >To: Ryan Thompson <ryan at sasknow.com>
> >CC: "Gerald S. Stoller" <gs_stoller at hotmail.com>, vze25pmf at verizon.net,   
> >FreeBSD Questions <freebsd-questions at freebsd.org>
> >Subject: Re: set user-id
> >Date: Tue, 22 Jul 2003 14:37:29 -0500
> >
> >In the last episode (Jul 22), Ryan Thompson said:
> >> If you *really* want to have suid scripts, your binary wrapper idea is
> >> quite a common trick. Don't get fancy with it, though. A one-liner to
> >> execve(2) should really be all you need. Either that, or re-code the
> >> whole thing in C (or some other compiled language). C can introduce
> >> insecurities of its own, but at least you'd (arguably) have put them
> >> there yourself. :-)
> >
> >I use sudo for stuff like this.  I add a line like this in sudoers:
> >
>    I don't understand the next line!
> >ALL             ALL = NOPASSWD: /usr/local/bin/thescript
>  ???             Setting a variable??     Okay, invoking the script

The sudoers file has a really weird syntax, but what that means is that
any user (the first ALL keyword) may run "thescript" as root on any
machine (the second ALL keyword; this allows the same file to be
replicated to multiple machines) without a password prompt (the
NOPASSWD: keyword).

> >>Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> with a slight change, I copied  ksh  to  /bin  with the name  kshroot , 
> made sure
> that the group on it is the group of  root , and then did
>                  chmod 4750  /bin/kshroot
> Thus only the users who are 'close to' root (e.g., generally users who have 
> the
> root  password so they can become  root  if necessary) can run this shell 
> whenever
> they need to act as  root , and can use it in scripts (first line: 
> #!/bin/kshroot).  Again
> note that these scripts can only be invoked by users who are 'close to' 
> root.  For the
> other users, I'd have to use a sudo.

That will work, too.

-- 
	Dan Nelson
	dnelson at allantgroup.com

More information about the freebsd-questions mailing list