- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Ramifications of SUID
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2001 09:02 AM
тАО10-17-2001 09:02 AM
My question is this, if I create a separate script which starts Informix, AND set this script to the user ID I wish via setuid, when I run this start script as root...is this the same in all ways as an su to the Informix user and running a script to start Informix?
I am not sure of all the ramifications (positive and negative) of using setuid to start a progrm. I know that Informix will not show the informix user as the process owner, but will identify the process with the informix user. Very confusing!
Thanks!~
Mike
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2001 09:07 AM
тАО10-17-2001 09:07 AM
Re: Ramifications of SUID
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2001 09:11 AM
тАО10-17-2001 09:11 AM
SolutionThe usual method for running a command as another user is:
su - loginid -c "command line with options"
This effectively runs the script as the loginid you specified. If called by any other user than root passwords would apply.
Sounds like you want to set the setuid bit on the script that is owned by informix. Be aware that anyone who has execute permissions on the script would run it as informix. Don't allow them to write permissions or they could put what they want in the script. At any rate, I'd go with the su - method.
Darrell
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2001 09:21 AM
тАО10-17-2001 09:21 AM
Re: Ramifications of SUID
Hope this helps.
-Santosh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2001 09:58 AM
тАО10-17-2001 09:58 AM
Re: Ramifications of SUID
su - informix -c "program name"
That said, if root is the only one that needs to run the script, then having it setuid should be relatively safe as long as the permissions as set properly.
As for funtionality, either method should work, but I prefer to start the process directly as the user. I also try to stay away from using setuid scripts whenever possible as it is just a bad habit to get into because of all the security concerns.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2001 10:03 AM
тАО10-17-2001 10:03 AM
Re: Ramifications of SUID
Thanks again!
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-17-2001 10:05 AM
тАО10-17-2001 10:05 AM
Re: Ramifications of SUID
In general setuid scripts are to be avoided. Since this is a database script, the easist method is to run this as su informix mycmd.sh
or su - informix mysh.cmd.
You have two choices for how to properly set up the environment. If you use su - informix and thus source informix's .profile then you must make sure that no tty dependent commands like tset, stty, tabs ... are executed. This means that you need to surround any of those commands with if [ -t 0 ] then cmds fi so that they are only executed in an interactive environment.
A beeter way is to set and export all the Informix vars in a separate script e.g. /usr/local/bin/informixenv.sh (there should be no exit statement in this file)
then both Informix's .profile and your startup script simply source this file like this:
. /usr/local/bin/informixenv.sh
This is my standard method for starting any database. Do the su informix mycmds.sh and let mycmds.sh source the informixenv.sh script.
One other method which can make su's fairly safe is the sudo command which you can download from one of the Porting Centers. I actually prefer to wrapper a small setuid C program.
Clay