HPE Community
Operating System - HP-UX
1755132 Members
3161 Online
108830 Solutions
New Discussion юеВ

11.00 setuid

 
SOLVED
Go to solution
MartyB
Frequent Advisor

тАО07-09-2009 02:42 PM

тАО07-09-2009 02:42 PM

11.00 setuid

Hello, does 11.00 protect itself against unknown setuid binaries? I'm trying to install fping for a user, but it requires setuid for a non-root user to run. But, even when I setuid the file I still can't run it as a non-root user, I get:

This program can only be run by root, or it must be setuid root.

Here are the permissions on the binary to prove I'm not crazy:

-rwsr-xr-x 1 root sys

While researching I saw mention of a kernel parameter that doesn't allow setuid binaries (secure_sid_scripts), but this parameter doesn't exist on my system.

Any ideas?

Thanks!
0 Kudos
6 REPLIES 6
James R. Ferguson
Acclaimed Contributor

тАО07-09-2009 03:03 PM

тАО07-09-2009 03:03 PM

Re: 11.00 setuid

Hi:

The kernel parameter 'secure_sid_scripts' didn't appear until 11i v1.6, Moreover, it applies only to scripts and not binary executables.

Regards!

...JRF...

0 Kudos
Bill Hassell
Honored Contributor

тАО07-09-2009 03:38 PM

тАО07-09-2009 03:38 PM

Re: 11.00 setuid

Check your mountpoint options for /usr (or wherever fping is stored:

mount -p

Look for nosuid (option in fstab) which prevents SUID programs from running. This is a recommended setting for open directories like /home, /tmp and /var.


Bill Hassell, sysadmin
0 Kudos
James R. Ferguson
Acclaimed Contributor

тАО07-10-2009 04:05 AM

тАО07-10-2009 04:05 AM

Re: 11.00 setuid

Hi (again):

I all likelihood, Bill is correct. At least in current releases, if you mount a filesystem with the 'nosuid' option and attempt to execute a 'suid' binrary, you get the message:

: Setuid execution not allowed

...and execution (may) continue without the effective uid changed.

If this is indeed the case, you can remount VxFS filesystems by doing (for example):

# mount -F vxfs -o delaylog,suid,remount /mountpoint

Be sure to specify all the mount options otherwisse used for the mountpoint as recorded in your '/etc/fstab' when you do this.

Of course, to make the change permanent, edit '/etc/fstab'.

Lastly, if you do not want to allow 'setuid' behavior in the filesystem in question and that filesystem is mounted with 'nosuid', then consider moving your binary to a filesystem that _does_ allow setuid execution --- '/usr/local/bin' being one choice.

Regards!

...JRF...
Regards!

...JRF...
0 Kudos
MartyB
Frequent Advisor

тАО07-10-2009 07:08 AM

тАО07-10-2009 07:08 AM

Re: 11.00 setuid

I appreciate the replies so far! None of my filesystems are mounted nosuid, and some of them even have suid explicitly listed.

I have tried moving the binary to the various filesystems but have had no luck. Keep in mind the error message I'm getting is from the application, not from the OS, so I'm likely barking up the wrong tree with mount options.

Also of note, I got the binary directly from the Porting and Archive Center, so it wasn't anything I compiled incorrectly.

Any other ideas?
0 Kudos
Matti_Kurkela
Honored Contributor

тАО07-10-2009 10:07 AM

тАО07-10-2009 10:07 AM

Solution

Re: 11.00 setuid

It's also possible that the fping program has a bug. Maybe it gets its test wrong and _thinks_ it doesn't have root privileges, while in fact it does have them.

The "Installation" document in the Porting and Archive Centre says:

------

HP Porting Changes:
===================

[...]
Source Code: Changed seteuid to setuid. :0 Still works!)

Running:
========
As root.

------
I'd assume this means the person who did the porting did not even attempt to make it work for non-root users.

MK
MK
0 Kudos
MartyB
Frequent Advisor

тАО07-10-2009 11:03 AM

тАО07-10-2009 11:03 AM

Re: 11.00 setuid

I think you hit the nail on the head... and even if you didn't it drove me to the solution: sudo

Thanks for the replies everyone!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.