topic Re: permissions problem using setuid in Operating System - HP-UX

permissions problem using setuid

Raynald Boucher — Tue, 18 Mar 2008 17:39:52 GMT

Hello all,
here is one for the teachers.

I have a log directory /var/logs/oracle (775) and files within it all owned by "oracle:batchgrp" with 664 permissions.

Group "batchgrp" includes user "batchrun".
Shared executable "astsql" has the following permissions (notice the setuid):
-r-sr-xr-x 1 batchrun batchgrp

How come script "astsql" fails to write to the log directory when run by user "oracle" (unless user "oracle" is also part of group "batchgrp").

User oracle owns the files and user batchrun belongs to group "batchgrp" which has write permissions on the files.

I know I have a solution but I don't understand why?

Thanks

RayB

Re: permissions problem using setuid

James R. Ferguson — Tue, 18 Mar 2008 17:55:32 GMT

Hi Ray:

On one hand you say, "Shared executable "astsql". Then you say, "script "astsql".

Setuid *binaries* work whereas setuid *scripts* will may not. On 11.23 and later, you must set the kernel parameter 'secure_sid_scripts' appropriately for setuid *scripts* to function.

http://docs.hp.com/en/B3921-60631/secure_sid_scripts.5.html

Regards!

...JRF...

Re: permissions problem using setuid

Raynald Boucher — Tue, 18 Mar 2008 18:16:35 GMT

My error, it is a shared executable and we are running 11.11:
$ ll astsql
-r-sr-xr-x 1 batchrun batchgrp 24576 Jul 28 2005 astsql
$ file astsql
astsql: PA-RISC1.1 shared executable dynamically linked -not stripped
$

It's a c program that finds a username/password and runs a sql script using sqlplus.

Re: permissions problem using setuid

Tim Nelson — Tue, 18 Mar 2008 20:21:34 GMT

your suid bit is only set for uid.

oracle with run as uid batchrun but still have the same oracle default group. What group(s) is oracle uid a member of ? If not batchgrp then set the guid bit or just add oracle user to the batchgrp and control the file creation by setting guid on the directory to force all file creation to batchgrp.

Re: permissions problem using setuid

Raynald Boucher — Wed, 19 Mar 2008 11:38:05 GMT

Tim,

I know making oracle part of the batchgrp group will work.
But I'm trying to understand:
- why user oracle has to be member of the batchgrp eventhough it owns the target file and directory
- why user batchrun cannot update a file even though it belongs to a group that can.

This is a concept question and I can't find a manual that explains it clearly.

Thanks

RayB