topic Re: about setuid in Operating System - HP-UX

about setuid

kamal_15 — Sun, 10 Apr 2005 11:55:51 GMT

hi all

i have a problem
i write a simple script run only under user root. this is the script.(lvdisplay /dev/vg00/lvol1).

i want to make user kamal able to run this script.
i do the following:
login as root
chmod 4777 DBstat
the result is
-rwsrwxrwx 1 root sys 26 Apr 10 18:13 DBstat

but when tryed to execute script under user kamal i receive error
DBstat: lvdisplay: not found.
please expalin why this error ?

note :script works good under root user.
thankx

kamal

Re: about setuid

Leif Halvarsson_2 — Sun, 10 Apr 2005 13:09:15 GMT

Hi,
The problem is that your PATH is different from root PATH (try echo $PATH for your login and when logged in as root).
Solution:
use the absolute path in your script
/sbin/lvdsplay

Re: about setuid

KapilRaj — Sun, 10 Apr 2005 13:21:20 GMT

There are couple of things here !

01. I do not think setuid works for shell scripts it is only for binary executables
02. Please never ever keep a setuid script with 777 i.e. any tom can change & run it and can blow up your system.
03. I normally ask my software peer to write a program in C and compile it and then set the permission as 750 and the group would be the user's group.

04. sudo works best here and easy as well

Regds,

Kaps

Re: about setuid

A. Clay Stephenson — Sun, 10 Apr 2005 13:22:59 GMT

As has already been said, you need to either use absolute pathnames OR do something like
PATH=${PATH}:/usr/sbin
export PATH

inside your script.

I must say that having a setuid script with 4777 mode is really, really dumb. Anyone can alter this script and do great damage. At the very least, change the permissions to 4555 so that no one can write to this file.

Setuid scripts, in general, are a terrible security risk and should be avoided. Use sudo to do this instead.

Re: about setuid

kamal_15 — Sun, 10 Apr 2005 13:27:35 GMT

many thanks for all
sorry
i forget change path.
now every thing is ok
but
when i tryed to change my script to execute command (useradd).
i recieved messege : Permission Denied
also i setuid
what is the problem?

Re: about setuid

A. Clay Stephenson — Sun, 10 Apr 2005 13:31:46 GMT

Is the setuid bit set AND is the file owned by root? Both of those conditions must be met.

Re: about setuid

kamal_15 — Sun, 10 Apr 2005 13:38:45 GMT

bin is the owner of file useradd
/usr/sbin/useradd.
-r-xr-xr-x 1 bin bin 53248 May 12 1998 useradd.
and my script file :
-rwsr-xr-x 1 root informix 76 Apr 10 20:22 DBstat.

Re: about setuid

A. Clay Stephenson — Sun, 10 Apr 2005 13:45:25 GMT

Have you su-ed to another user inside this script so that you are no longer root?

Re: about setuid

kamal_15 — Sun, 10 Apr 2005 14:07:28 GMT

hi all
there is something i can't understand it.

my login name is kamal.
when i tryed to execute command (useradd).
i recieved messege : Permission Denied.

i goto /usr/sbin and make the following :
1-chown root useradd
2-chmod 4755 useradd

now i can execute command useradd under my user.
but the problem is any user can execute this command also.
when i tryed before to put this command in file .and setuid to this file to root.
i recieved messege :permission denied.

i want to leave file useradd without any changes . and make file contain command (useradd) and setuid to this file.

is that possipole?

Re: about setuid

A. Clay Stephenson — Sun, 10 Apr 2005 19:36:47 GMT

You have now seen why setuid scripts are so dangerous. When root owns a setuid script and the permissions allow for anyone to execute it then anyone can do this dangerous task. You could put some logic in your script to determine who the user is but the better approach is to use sudo. It will safely give you the accesss you are looking for.

Re: about setuid

kamal_15 — Mon, 11 Apr 2005 03:14:11 GMT

my simple question is:

can i write script contain one command executed only by root(for ex: useradd)

and setuid for this script.
and run this script under any user except root?

i tryed to do that but i recieved messege :
permission denied.

is there any thing i gorget?
thankx

Re: about setuid

KapilRaj — Mon, 11 Apr 2005 09:11:38 GMT

sudo
sudo
sudo
sudo

You have already tweaked the os binaries and their permissions , never do that..

for others, does setuid work for shell scripts ?

Regds,

Kaps

Re: about setuid

Pete Randall — Mon, 11 Apr 2005 09:19:36 GMT

Yes, setuid works on shell scripts.

Pete

Re: about setuid

Gary L. Paveza, Jr. — Mon, 11 Apr 2005 09:55:49 GMT

If you're just doing lvdisplay, then just fully quality it /usr/sbin/lvdisplay. Root permissions are not required to run this command. Any user can.

Re: about setuid

Emil Velez — Mon, 11 Apr 2005 17:01:40 GMT

I would suggest that you consdier the Restricted Sam builder. You can add a script to be executed by sam using whatever userid and you can add scripts or programs to sam and specify what userid can run specific entries in sam. It is a good functionality that provides full logging.