passwd

Steve Coile scoile at nandomedia.com
Fri Jun 6 06:20:05 PDT 2003 

On Fri, 6 Jun 2003, Mark Redding wrote:
> #snip#
> 
> passwd needs to run setuid root, so it can write the
> new password to
> /etc/master.passwd:
> 
> [homer: danielby: ~]$ ls -l `which passwd`
> -r-sr-xr-x  2 root  wheel  32824 19 May 11:04
> /usr/bin/passwd*
> 
> You need to re-enable the setuid bit.
> 
> #end-snip#
> 
> That's not it I'm afraid. The setuid bit was set
> anyway, and anyway, users who are members of the wheel
> group can execute the passwd command without trouble
> (I've only switched off 'other' access).

Many programs load shared libraries or invoke additional executables.
By disabling access to everything else, you prevent the use of these
additional files.

My recommendation is that you restore the permissions on everything and
find another way to do what you're trying to do.  Consider using the
restricted mode of existing command shells (e.g. "bash -r").

You didn't change permissions on any directories, did you?  If so,
at least restore execute access for all users on those directories
you changed.  This will allow executables to use specific files within
those directories.

To determine what other files a program needs, you'll need to see what
dynamic libraries it's trying to load:

	ldd `which passwd`

Make sure all of the files referenced are executable by all users.

Some programs (perhaps "passwd") actually invoke other executables.
To find these, you'll have to use something akin to "strace" or "ltrace"
(I don't know what the FreeBSD equivalent is) and look for references to
"exec" and variations.

	strace -o /tmp/passwd.strace passwd
	...
	grep -w 'exec[0-9a-z]*' /tmp/passwd.strace

You'll then need to determine why the program is invoking these other
executables, decide whether the reasons are acceptable, then enable
access to the acceptable executables.

You might also want to review the files that the program is trying to
open.  In your zeal, you might have inadvertently changed the permissions
on a data file.  You can find these using the output from "strace", too:

	grep -w 'f?open' /tmp/passwd.strace

-- 
Steve Coile
Systems Administrator
Nando Media
ph: 919-861-1200
fax: 919-861-1300
e-mail: sysadmins at nandomedia.com
http://www.nandomedia.com

More information about the freebsd-questions mailing list