cancel
Showing results for 
Search instead for 
Did you mean: 

set UID

Harsha HR
Occasional Contributor

set UID

Hi All,

I am new to HPUX.
while practiceing set UID in test server have some issue.
===================================
I am logged in as a root user.
# cat p1
sleep 20
# ll p1
-r-sr-xr-x 1 root sys 9 Dec 3 10:24 p1
===================================
Now I am executing p1 as a normal user "usr1", I found that the child process has owner as "user1" but should be "root"

$ sh p1 &
$ ps -ef| grep sleep
user1 11500 11499 0 10:05:52 pts/5 0:00 sleep 20

====================================
5 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: set UID

Hi:

"Set-UID" scripts are potentially dangerous. Current HP-UX kernels can control whether or not shell scripts are allowed to run "setuid".

This is controlled by the kernel parameter 'secure_sid_scripts':

http://docs.hp.com/en/B2355-60130/secure_sid_scripts.5.html

Regards!

...JRF...
Harsha HR
Occasional Contributor

Re: set UID

Hi James,

Thanks for your reply. I checked the value of the said parameter, it was 1 & I have changed it to 0. still output remains same...

===============================

# kctune | grep -i secure
secure_sid_scripts 0 0 Immed
===============================
$ ll p1
-r-sr-xr-x 1 root sys 9 Dec 3 10:24 p1
$ cat p1
sleep 20
$ sh p1 &
[1] 12198
$ ps -ef| grep sleep
piyush 12199 12198 1 12:19:06 pts/3 0:00 sleep 20
===============================

James R. Ferguson
Acclaimed Contributor

Re: set UID

Hi (again):

Add an 'id' command call before your 'sleep' to display the _effective_ userid of the process:

# cat p1
id
sleep 20

# chmod 4555 p1

Too, there is no reason to do:

# sh p1

Instead, skip the extra shell and do:

# ./p1

Regards!

...JRF...
Regards!

...JRF...
Harsha HR
Occasional Contributor

Re: set UID

Hi James,

This is the output...


============================
$ cat p1
id
sleep 20
$ ./p1
uid=107(user1) gid=1001(b)
============================

James R. Ferguson
Acclaimed Contributor

Re: set UID

Hi (again):

On a system that allows 'setuid' shell scripts, your output should look something like:

$ ./p1
uid=1000(jrf) gid=20(users) euid=0(root)

Notice that this works if you don't impose another subshell by running 'sh p1'.

The fact that you don't show the effective ID field suggests something is amiss. Verify that your latest change as the 'setuid' bit set on the script; that the script is owned by 'root'.

Regards!

...JRF...