topic Re: setuid in Operating System - HP-UX

setuid

Mike_21 — Wed, 13 Feb 2002 19:30:37 GMT

Situation: I have a script in the /root directory permissions are rwx for "root only".

I would like to give user x the ability to run this script as root, I know this is possible. I tried to chmod u+s script, it now looks like rws.

This did not work........ DO I have to move this script out of /root?

Thanks

Re: setuid

Patrick Wallek — Wed, 13 Feb 2002 19:38:26 GMT

If you want the script to run as root, but you want the other user to have access to it, you can do a couple of things.

1) Change the permissions of the script so that it has group execute permission and then change the group to one that the user is a member of. Then when the user runs the script, it will run as root.

The script permissions would look like:

-rwsr-x--- 1 root somegroup 1234 Feb 13 13:15 script_name

Then you modify /etc/group so that the user is a member of the group somegroup

somegroup::123:userid

The problem with this is that if there are multiple people that are a member of somegroup then ALL of them can run the script.

2) You could download and install the product sudo http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.2b1/

Then you can set up that user in sudo so that he has acccess to that script and no one else does. This allows you to leave the permissions of the script set to 700 or 500 and root as the owner.

I would personally vote for using sudo. It allows you to do a lot of things with assigning 'root' privileges to users without them actually having to know the root passwd. Once sudo is set up, you run a command by doing:

$ sudo command_name

It then prompts the user for their password, if you set it as such, and the command then executes.

Re: setuid

Krishna Prasad — Wed, 13 Feb 2002 19:46:38 GMT

You could also use restricted SAM.

You would need to add you script as a custom application.

Then you run sam -r and setup the user(s) you want have acess to this script or any SAM functions.

The downside to this is that the users have to run SAM to run the script.

Re: setuid

Kelli Ward — Wed, 13 Feb 2002 19:48:57 GMT

Hi,
You safest bet, to prevent tampering, may be to chmod 555 <script>. This will give you:
-r-xr-xr-x permissions on the file and prevent anyone from inadvertantly overwriting the script or damaging it. Even a well intentioned root user won't be able to write to it without "forcing" the change.
Good luck,
Kel

Re: setuid

Kelli Ward — Wed, 13 Feb 2002 19:52:16 GMT

Ooo... That reminds me. You can also use your file manager to edit the permissions.
Find the file in your file folder, right click on it, then right click on properties. There will be permission buttons you can click to set the permissions however you wish.
One: you must be owner to do so.
Two: You must be running a graphical interface to do this. I.e: CDE or HP-Vue
Good luck again,
Kel

Re: setuid

Darrell Allen — Wed, 13 Feb 2002 20:04:06 GMT

Hi all,

Just a word of caution. Don't set perms to 4555 unless you want everyone to be able to run the script as root.

Darrell

Re: setuid

Mike_21 — Wed, 13 Feb 2002 20:07:34 GMT

The response that Patrick gave will not work and gives an error message... Permission denied.

Re: setuid

Darrell Allen — Wed, 13 Feb 2002 20:34:51 GMT

Hi Mike,

I've used Patrick's suggestion a number of times. Something must be just a little off.

-rwsr-x--- root somegroup ... script_name

That should work in 11.x IF the user is in somegroup (as specified in /etc/group) or somegroup is the users primary group (as specified in /etc/passwd).

If running pre-11.x then you need /etc/logingroup. Simply create a symlink pointing to /etc/group:
ln -s /etc/group /etc/logingroup

Darrell

Re: setuid

Darrell Allen — Wed, 13 Feb 2002 20:40:05 GMT

Dang, it helps to read the question. /root doesn't have permissions for the user. You either have to open that up or put the script in another directory that the user has r-w perms.

All things considered, sudo and restricted SAM are better choices.

My apologies for not reading better. Couldn't see the forrest for the trees.

Darrell

Re: setuid

Patrick Wallek — Wed, 13 Feb 2002 20:45:20 GMT

What are the permissions on the /root directory, the file you are wanting to execute and what is the output of 'id username' where username is the id of the user that you want to execute this script?

Re: setuid

Kelli Ward — Wed, 13 Feb 2002 21:03:34 GMT

Whoops, I didn't exactly read the post right myself.
Quick question, This script, does it run internal commands that require root access to use them? I.e: reboot and date
If not, you may be able to create a copy, owned by the user in their directory. If they do, you may need to give them permission to run the internal "root" commands as well. If, I am now understanding your question correctly.
Best of luck to you,
Kel

Re: setuid

Helen French — Wed, 13 Feb 2002 21:20:14 GMT

Hi Mike,

If I understood correctly, then you can use the ACL commands for giving access of a specific file for a specific user.

For eg: user1 needs execute permission for a file called /script1, then

# chacl 'user1.%=rx' /script1

HTH,
Shiju

Re: setuid

Mike_21 — Thu, 14 Feb 2002 13:30:45 GMT

Sorry about the confusion....

I better add that this scripot that is located in /home/root accesses directories owned by root. So when userx executes this script, I would think that userx doesn't get roots permissions, thus is why it is failing. I would definitely prefer sudo access, however, the current situation will not allow this (long story). Also userx is running a restricted shell.

Thanks for the help...

Re: setuid

Krishna Prasad — Thu, 14 Feb 2002 14:20:33 GMT

I would try SAM if this is a big if it works with a user you is using restricted SAM?

Re: setuid

Ruediger Noack — Thu, 14 Feb 2002 15:10:54 GMT

It is NOT possible to set the s-bit to a shell script, only for executables.
Make a little c program with
system(script)
in it and set your s-bit to the compiled program.

Ruediger

Re: setuid

James R. Ferguson — Thu, 14 Feb 2002 18:14:14 GMT

Hi Mike:

If this is *really* what you want to do, and I'm sure you know the reasons for avoiding 'setuid' and 'setgid' scripts and programs, so I won't lecture, then:

1) Use a Posix script (#!usr/bin/sh)
2) Make the *owner* of the script 'root'
3) chmod the script 4555

Regards!

...JRF...

Re: setuid

James R. Ferguson — Thu, 14 Feb 2002 18:18:43 GMT

Hi (again) Mike:

...and I should add that the directory in which the script or executable resides is immaterial. Put it whereever you want/need users to get it. To a very limited extent, this can help protect it, although these are very dangerous little animals to have.

Regards!

...JRF...

Re: setuid

Wodisch — Thu, 14 Feb 2002 20:18:01 GMT

No Mike,

sorry to interfere with the "olympian" (not too sorry, though ;-), but it is NOT a good idea to give a setuid script world read permission, simply execute permission for those to start it, and read permission for the owner is enough.
Even though a setuid script should NOT have any holes in, it is still not advisible to let everybody see how to tamper with it :-(

They should not even *know* it is a script...

Hence for dircteory "/root" and the file "/root/dangerus" you could set the permissions as follows:
-r-s--x--- 1 root mighty ... /root/dangerous
-r-xr-xr-- 1 root mighty ... /root

where the user would have to be member of group "mighty" (do you have the sym-link "/etc/logingroup->/etc/group"???)

Just my $0.2,
Wodisch

Re: setuid

Patrick Wallek — Thu, 14 Feb 2002 20:31:06 GMT

Sorry Woodisch, but JRF is correct in his assesment of permissions. A shell script can NOT be executed with having 'read' permission set.

Here's an example. I created a script called test_script. It's contents are:

#!/usr/bin/sh
echo "This is a test on `date`"

Now I set its permissions to 711 (owner is root, group is sys) and tried executing it as a regular user.

$ ll test_script
-rwx--x--x 1 root sys 46 Feb 14 14:27 test_script
$ ./test_script
/usr/bin/sh: ./test_script: cannot open

But when I change the permissions to 715:

$ ll ./test_script
-rwx--xr-x 1 root sys 46 Feb 14 14:27 ./test_script
$ ./test_script
This is a test on Thu, Feb 14, 2002 02:28:31 PM

So you can not have a shell script with ONLY execute permission. It won't work. The read permissions allows your shell to "read", or parse and run, the script. The execute permission allos you to do a ./scriptname to execute so you don't have to run the script by doing 'sh scriptname'.

You can get away with having execute permission only on a compiled program because it is already compiled and the shell doesn't have to read it.

Sorry to burst your bubble.

Re: setuid

James R. Ferguson — Thu, 14 Feb 2002 20:34:13 GMT

Hi Wodisch:

I wholly agree. Read permissions are unnecessary. The less known and shown the better. Thanks!

Regards!

...JRF...