SUID permission on Bash script

George Davidovich freebsd at optimis.net
Fri Aug 28 10:58:50 UTC 2009 

On Fri, Aug 28, 2009 at 10:01:54AM +0100, Jeronimo Calvo wrote:
> 2009/8/28 Giorgos Keramidas <keramida at ceid.upatras.gr>
> 
> On Fri, 28 Aug 2009 09:24:35 +0100, Jeronimo Calvo
> <jeronimocalvop at googlemail.com> wrote:
> > > 
> > > Im trying to set up a reaaallly basic scrip to allow one user to
> > > shutdown my machine without root permisions, seting up SUID as
> > > follows:
> > > 
> > > -rwsrwxr-- 1 root wheel 38 Aug 27 23:12 apagar.sh
> > > 
> > > $ ./apagar.sh
> > > 
> > > Permission denied
> > > 
> > > content of script:
> > > 
> > > cat apagar.sh
> > > 
> > > ]#!/usr/local/bin/bash
> > > shutdown -p now
> > > 
> > > As far as i know, using SUID, script must runs with root
> > > permissions... so i shoudnt get "Permission denied", what im doing
> > > wrong??
> > 
> > No it must not.  There are security reasons why shell scripts are not
> > setuid-capable.  You can find some of them in the archives of the
> > mailing list, going back at least until 1997.
> > 
> > The good thing is that you don't need a shell script to do that.  You
> > can install `sudo' and give permission to the specific user to run:
> > 
> >    sudo shutdown -p now
> 
> so SUID can be applied to sh but it doesn't work!, there is not anyway
> to apply it? apart from installing sudo?, The thing is that installing
> sudo and adding that user into sudoers, that user will be capable to do
> any other SU tasks, apart of shutting down... wich i dont like :D (I
> know that SUID could be even worst if they edit the .sh file... but lets
> believe they dont even know that XD)

Please refrain from top-posting.  It's both confusing and inconsiderate
for anyone trying to read what you write or otherwise trying follow a
discussion.

First, as has already been pointed out, your approach is A Really Bad
Idea and will lead nowhere so forget it.  Second, you're
misunderstanding sudo.  From sudo(8):

  sudo allows a permitted user to execute a command as the 
  superuser or another user, as specified in the sudoers file.  

Note the "as specified".  For example, if the sudoers file contains
nothing but

  john  ALL= NOPASSWD: /usr/sbin/shutdown

then John (and only John) can use sudo to execute /usr/sbin/shutdown,
but can't use sudo to execute any other commands. 

As an alternative to installing sudo, you can add your user to the
operator group:

  pw groupmod operator -m john

but be sure to understand the ramifications before doing so.

-- 
George

More information about the freebsd-questions mailing list