HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Howto properly setuid to a shell script?

 
Naru
Occasional Visitor

Howto properly setuid to a shell script?

Hello all,

I just found this forum via google while searching for how to convert shell scripts to binary, but it looks more than that ;)

I've read a post here in forums , someone said theres a good way how to setuid scripts instead of converting it to binary.

I've just made a script on automating check/restart for a service called cccam, and I setuid to it, and it works well.I also attached it if you want to take a look at it.

But if there's a better way , please share :).
5 REPLIES
Matti_Kurkela
Honored Contributor

Re: Howto properly setuid to a shell script?

Using setuid with shell scripts is generally not recommended. If the system is configured to allow setuid shell scripts, a regular user can usually fool the script into running anything the user wants.

There are many ways to do this; one of the simplest is to manipulate PATH or other environment variables, so that the script will run the user's malicious commands/scripts instead of the standard system commands.

Another common way would be to specify unexpected characters in script arguments or other input, but since your script takes no input from the user and uses no command line arguments, your script should be immune to that at least.

If you need to run a script as a different user, a better way is to use the "sudo" command: it will enforce a standard set of environment variables and strip away the rest, so it will be much harder to fool the script.

But I have to ask: what exactly are you trying to achieve with converting shell scripts to binary and/or with setuid scripts? What is the actual requirement you're trying to fulfill with these methods?

MK
MK
Naru
Occasional Visitor

Re: Howto properly setuid to a shell script?

I am trying to daemonize the script I attached on the 1st post, even if the machine is rebooted, it should be started at startup.

How I realized this is, I've added it to the rc.local , and while the machine was running I used : setuid script.sh .

My first try was with nohup script.sh & , but this didnt work very well for me , as the scripts generates some logs based on the service status, and nohup forces the logs to go to nohup.out.Even if I specify nohup script.sh somelogs.txt & , it still doesn't meet my requirements, because the script generates the logs on different files based on the service status.

Re: Howto properly setuid to a shell script?

>nohup forces the logs to go to nohup.out

nohup will only redirect stdout and stderr if not already redirected. You also can have the script write directly to a log file.

>kill `pidof cccam` 2&>1 /dev/null

Is this valid bash? In a real shell you use:
kill `pidof cccam` > /dev/null 2>&1
Naru
Occasional Visitor

Re: Howto properly setuid to a shell script?

I just noticed that bit, must have been a mistake, but that was just to keep the output clean, I won't get the 'process killed' message after the process is killed or the process doesn't exist message.

I did redirect the logs by this:

echo "`date +%D-%T` Check: Failed ..restarting" >> $log

If I use nohup, all will go to nohup.out instead of the log file I specified.

$log is declared at the beginning of the script.
Naru
Occasional Visitor

Re: Howto properly setuid to a shell script?

I'm sorry, I must have confused most of you with my question, because I've made a small mistake instead of saying setsid , i've asked for setuid ( which is completely a different thing, I know ).

Now, I must ask you to replace everything that is setuid with setsid.Now that I cleared that up, I hope the moderators can edit my Subject of this thread too.

Thanks, and sorry for the confusion.