topic Re: Giving a script root access in Operating System - HP-UX

Giving a script root access

Ullrich Rieger — Fri, 06 Oct 2000 14:19:00 GMT

I created a script, containing the statement
chown user myfile
to change the owner of a file that I am not owner of. I set the s-bit of the script file and tried to execute the script as an ordinary user. I got the messsage:
myfile: not owner

setting the s-bit of a chown works fine.
What's wrong?

Re: Giving a script root access

John Palmer — Fri, 06 Oct 2000 14:21:21 GMT

Is the first line of your script:-

#!/usr/bin/sh
or
#!/usr/bin/ksh

This is required to get setuid to work with a script. Test it by getting the script to execute 'id'.

Regards,
John

Re: Giving a script root access

James R. Ferguson — Fri, 06 Oct 2000 14:40:04 GMT

Hi:

For what it's worth, here's two comments.

Of course, remember the dangers associated with suid scripts. You'll certainly be asked to explain where and why you have them by an auditor.

Also, depending on the commands you are using within your scirpt, you'll probably need/want to to specify absolute paths. Root's default PATH includes /usr/sbin where common user's don't (and don't need to).

...JRF...

Re: Giving a script root access

Alan Riggs — Fri, 06 Oct 2000 19:33:51 GMT

Also -- please remember to trap escape sequences in your script. You do not want to allow a user to gain a root shell simply by hitting CTRL-c.

Re: Giving a script root access

Bill Hassell — Sat, 07 Oct 2000 04:33:00 GMT

To reiterate the issues about security: set user-ID scripts for root access are the worst security hole you can provide. It is quite easy to subvert a script by interrupting it or change the environment in which it runs to gain super user privileges.

Strongly reconsider the use of scripts and instead, write a program with appropriate precautions. Executables are much more secure in a suid application.