topic Re: setuid problem in Operating System - HP-UX

setuid problem

gigiz — Thu, 02 Aug 2007 06:27:14 GMT

Hi ,
i have a question ...
I use setuid with a my script for a user.
The script belong to oracle:oinstall and have this permission :
-rwsr-sr-x 1 oracle oinstall 22 Aug 8 12:49 pippo.sh
I launch this script with user test.
If i chek whith ps -ef :

ps -ef |grep -i pippo.sh
test 8484 8461 0 13:54:39 pts/tb 0:00 /bin/ksh ./pippo.sh
test 8504 8461 1 13:54:54 pts/tb 0:00 grep -i pippo.sh
I look that the process belong to test user and not oracle.
In SOLARIS this same test of setuid , and the process belong to oracle.

Thereis a procedure o configuration file or parameter in hpux for setuid to have a same solaris result

HELP me MANY POINT at all

Re: setuid problem

James R. Ferguson — Thu, 02 Aug 2007 06:44:35 GMT

Hi:

HP-UX doesn't allow 'setuid' scripts by default. If you want to use this technique, you must create a 'setuid' C-wrapper around your script.

See here for more information:

http://docs.hp.com/en/B2355-60105/secure_sid_scripts.5.html

Regards!

...JRF...

Re: setuid problem

Ralph Grothe — Thu, 02 Aug 2007 07:37:36 GMT

What about the slightly more comfortable wrapper sudo?

Can be found as part of the Internet Express,
installs in a minute, and another 3 minutes for editing your "wrapper" rule.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

Re: setuid problem

gigiz — Thu, 02 Aug 2007 08:17:45 GMT

Ok
but JAMES,
how i use the setuid script ???
help me step by step thanks

Re: setuid problem

James R. Ferguson — Thu, 02 Aug 2007 08:48:40 GMT

Hi:

If you wish to use the example provided in the manpage link in my post, copy the code therein into a secure place and change the define to specify *your* script's absolute path (e.g. '/usr/local/bin/pippo.sh'). If the modified code were called "pippo.c" compile it:

# cc ./pippo.c -o ./pippo

...Then set the setuid and setgid bits as yuo have shown in your post:

# chown oracle:dba ./pippo
# chmod 6555 ./pippo

Now, when you execute './pippo' you will be running a setuid/setgid shell script '/usr/local/bin/pippo.sh'.

As Ralph noted, 'sudo' is a good alternative to this, though.

Regards!

...JRF...

Re: setuid problem

gigiz — Thu, 02 Aug 2007 09:37:46 GMT

hi JAMES, but a c script filed in compiation

#include
#include
#include
#define SETUID_SCRIPT "/home/oracle/pippo.sh"

int main(int argc, char *const argv[])
{
if (strcmp(argv[1], SETUID_SCRIPT) == 0) {
execv(argv[1], argv+1);
perror(argv[0]);
} else {
fprintf(stderr, "%s is not a known setuid script\n",
argv[1] ? argv[1] : "unspecified-script" );
}
exit(1);
}

ollio-/home/oracle -> cc setto.c -o ./setto
(Bundled) cc: "setto.c", line 6: warning 5: "const" will become a keyword.
(Bundled) cc: "setto.c", line 6: error 1000: Unexpected symbol: "argv".
(Bundled) cc: "setto.c", line 6: error 1705: Function prototypes are an ANSI feature.
(Bundled) cc: "setto.c", line 8: error 1588: "argv" undefined.
(Bundled) cc: "setto.c", line 8: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 9: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 10: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 12: error 1588: "stderr" undefined.
(Bundled) cc: "setto.c", line 13: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 13: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 13: error 1552: First expression of ?: must be arithmetic.

Re: setuid problem

A. Clay Stephenson — Thu, 02 Aug 2007 09:40:42 GMT

You should actually be glad that setuid scripts don't work. This has been a big security hole in HP-UX prior to 11.23. Setuid scripts are (and always have been) an accident waiting to happen. Of course, you can always change the value of the secure_sid_scripts tunable and your box will be just as bad as it was in the good old days.

In the strictest sense, setuid scripts should have never been functional because scripts are not true executables but rather data files for an executable --- the shell in this case.

As noted, you will need to either create a wrapper or put your command under the control of sudo. Sudo is the much better choice because you have great control over who is allowed to execute what commands and the activity is logged.

Re: setuid problem

James R. Ferguson — Thu, 02 Aug 2007 10:08:50 GMT

Hi (again):

Your compilation problem is due to the fact that you don't have an Ansi C compiler; only the bundled one offered free.

#include
#include
#include
#define SETUID_SCRIPT "/home/oracle/pippo.sh"

main(argc, argv)

int argc;
char **argv;

{
if (strcmp(argv[1], SETUID_SCRIPT) == 0) {
execv(argv[1], argv+1);
perror(argv[0]);
} else {
printf("%s is not a known setuid script\n",
argv[1] ? argv[1] : "unspecified-script" );
}
exit(1);
}

...should compile for you. If you compile the code and name it 'pippo' then you run it like:

# ./pippo /home/oracle/pippo.sh

...having 'chmod'ed the 'pippo' executable as I first noted.

Regards!

...JRF...

Re: setuid problem

Peter Nikitka — Thu, 02 Aug 2007 10:16:36 GMT

Hi,

it's not enough to have just the kernel compiler to compile this piece of code.
If you tranfer the source file to be 'Kernighan-Richie'-compliant, it will do.

mfG Peter

Re: setuid problem

Dennis Handly — Fri, 03 Aug 2007 04:04:39 GMT

>Peter: If you tranfer the source file to be K&R-compliant

Note: K&R isn't supported on Integrity.

Re: setuid problem

gigiz — Fri, 03 Aug 2007 04:57:06 GMT

1) I have a 11.11 and not a 11.23.
2) the c script work but if i do ps:

$ id
uid=114(test) gid=20(users)
$ cd /home/oracle
$ ll
total 112
drwxr-xr-x 2 oracle oinstall 96 Aug 9 10:16 TAR
-rw-rw-rw- 1 root sys 422 Aug 8 17:01 ninni.c
-rw------- 1 root sys 0 Aug 8 13:05 nohup.out
-r-sr-xr-x 1 oracle oinstall 20480 Aug 9 11:34 pippo
-rw-rw-rw- 1 root sys 423 Aug 9 11:34 pippo.c
-rwsr-xr-x 1 oracle oinstall 22 Aug 8 12:49 pippo.sh
-rw-rw-rw- 1 root sys 422 Aug 8 16:55 setto.c
$ ./pippo /home/oracle/pippo.sh &
[1] 20133
ps -ef |grep -i pippo
test 20133 20114 0 12:24:15 pts/ta 0:00 /bin/ksh /home/oracle/pippo.sh
test 20141 20114 1 12:24:31 pts/ta 0:00 grep -i pippo

i need that this process process belong to oracle user ...
thanks
and a poin at the finish .

Re: setuid problem

Peter Nikitka — Fri, 03 Aug 2007 05:16:31 GMT

Hi,

the ps-output may be meaningless and NOT telling you the EUID. Add something like
rm -f /tmp/newfile
touch /tmp/newfile
ls -l /tmp/newfile

in your script and check the permissions for correctness.

mfG Peter

Re: setuid problem

Dennis Handly — Fri, 03 Aug 2007 05:20:05 GMT

test 20133 20114 0 12:24:15 pts/ta 0:00 /bin/ksh /home/oracle/pippo.sh

>i need that this process process belong to oracle user

It does. ps(1) returns the original real user and not the effective user.

Have your script use id(1) to check.

Note the ps -u option works differently depending on whether you use UNIX95= or not.

Note you can customize ps with UNIX95= by displaying both USER and RUSER.

$ UNIX95= ps -ef -opid,user,ruser,args

Re: setuid problem

Dennis Handly — Fri, 03 Aug 2007 05:27:23 GMT

>Note you can customize ps with UNIX95= by displaying both USER and RUSER.
$ UNIX95= ps -ef -opid,user,ruser,args

Hmm, it seems that just by using UNIX95= ps(1) displays the effective ID. I don't see a difference between user and ruser when I use a sudo-like tool to run that ps. I just get root. Hmm, it happens even without UNIX95??)

Re: setuid problem

gigiz — Fri, 03 Aug 2007 09:31:22 GMT