HPE Community
Operating System - HP-UX
1752782 Members
6154 Online
108789 Solutions
New Discussion юеВ

Re: set UID

 
Harsha HR
Occasional Contributor

тАО12-03-2009 07:31 AM

тАО12-03-2009 07:31 AM

set UID

Hi All,

I am new to HPUX.
while practiceing set UID in test server have some issue.
===================================
I am logged in as a root user.
# cat p1
sleep 20
# ll p1
-r-sr-xr-x 1 root sys 9 Dec 3 10:24 p1
===================================
Now I am executing p1 as a normal user "usr1", I found that the child process has owner as "user1" but should be "root"

$ sh p1 &
$ ps -ef| grep sleep
user1 11500 11499 0 10:05:52 pts/5 0:00 sleep 20

====================================
0 Kudos
Reply
5 REPLIES 5
James R. Ferguson
Acclaimed Contributor

тАО12-03-2009 07:40 AM

тАО12-03-2009 07:40 AM

Re: set UID

Hi:

"Set-UID" scripts are potentially dangerous. Current HP-UX kernels can control whether or not shell scripts are allowed to run "setuid".

This is controlled by the kernel parameter 'secure_sid_scripts':

http://docs.hp.com/en/B2355-60130/secure_sid_scripts.5.html

Regards!

...JRF...
0 Kudos
Reply
Harsha HR
Occasional Contributor

тАО12-03-2009 09:21 AM

тАО12-03-2009 09:21 AM

Re: set UID

Hi James,

Thanks for your reply. I checked the value of the said parameter, it was 1 & I have changed it to 0. still output remains same...

===============================

# kctune | grep -i secure
secure_sid_scripts 0 0 Immed
===============================
$ ll p1
-r-sr-xr-x 1 root sys 9 Dec 3 10:24 p1
$ cat p1
sleep 20
$ sh p1 &
[1] 12198
$ ps -ef| grep sleep
piyush 12199 12198 1 12:19:06 pts/3 0:00 sleep 20
===============================

0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО12-03-2009 09:42 AM

тАО12-03-2009 09:42 AM

Re: set UID

Hi (again):

Add an 'id' command call before your 'sleep' to display the _effective_ userid of the process:

# cat p1
id
sleep 20

# chmod 4555 p1

Too, there is no reason to do:

# sh p1

Instead, skip the extra shell and do:

# ./p1

Regards!

...JRF...
Regards!

...JRF...
0 Kudos
Reply
Harsha HR
Occasional Contributor

тАО12-03-2009 10:22 AM

тАО12-03-2009 10:22 AM

Re: set UID

Hi James,

This is the output...


============================
$ cat p1
id
sleep 20
$ ./p1
uid=107(user1) gid=1001(b)
============================

0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО12-03-2009 10:48 AM

тАО12-03-2009 10:48 AM

Re: set UID

Hi (again):

On a system that allows 'setuid' shell scripts, your output should look something like:

$ ./p1
uid=1000(jrf) gid=20(users) euid=0(root)

Notice that this works if you don't impose another subshell by running 'sh p1'.

The fact that you don't show the effective ID field suggests something is amiss. Verify that your latest change as the 'setuid' bit set on the script; that the script is owned by 'root'.

Regards!

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.