HPE Community
Operating System - HP-UX
1833758 Members
2561 Online
110063 Solutions
New Discussion

about setuid

 
SOLVED
Go to solution
kamal_15
Regular Advisor

‎04-10-2005 04:55 AM

‎04-10-2005 04:55 AM

about setuid

hi all

i have a problem
i write a simple script run only under user root. this is the script.(lvdisplay /dev/vg00/lvol1).

i want to make user kamal able to run this script.
i do the following:
login as root
chmod 4777 DBstat
the result is
-rwsrwxrwx 1 root sys 26 Apr 10 18:13 DBstat

but when tryed to execute script under user kamal i receive error
DBstat: lvdisplay: not found.
please expalin why this error ?

note :script works good under root user.
thankx

kamal
0 Kudos
Reply
14 REPLIES 14
Leif Halvarsson_2
Honored Contributor

‎04-10-2005 06:09 AM

‎04-10-2005 06:09 AM

Solution

Re: about setuid

Hi,
The problem is that your PATH is different from root PATH (try echo $PATH for your login and when logged in as root).
Solution:
use the absolute path in your script
/sbin/lvdsplay
Reply
KapilRaj
Honored Contributor

‎04-10-2005 06:21 AM

‎04-10-2005 06:21 AM

Re: about setuid

There are couple of things here !

01. I do not think setuid works for shell scripts it is only for binary executables
02. Please never ever keep a setuid script with 777 i.e. any tom can change & run it and can blow up your system.
03. I normally ask my software peer to write a program in C and compile it and then set the permission as 750 and the group would be the user's group.

04. sudo works best here and easy as well

Regds,

Kaps
Nothing is impossible
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-10-2005 06:22 AM

‎04-10-2005 06:22 AM

Re: about setuid

As has already been said, you need to either use absolute pathnames OR do something like
PATH=${PATH}:/usr/sbin
export PATH

inside your script.

I must say that having a setuid script with 4777 mode is really, really dumb. Anyone can alter this script and do great damage. At the very least, change the permissions to 4555 so that no one can write to this file.

Setuid scripts, in general, are a terrible security risk and should be avoided. Use sudo to do this instead.
If it ain't broke, I can fix that.
0 Kudos
Reply
kamal_15
Regular Advisor

‎04-10-2005 06:27 AM

‎04-10-2005 06:27 AM

Re: about setuid

many thanks for all
sorry
i forget change path.
now every thing is ok
but
when i tryed to change my script to execute command (useradd).
i recieved messege : Permission Denied
also i setuid
what is the problem?
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-10-2005 06:31 AM

‎04-10-2005 06:31 AM

Re: about setuid

Is the setuid bit set AND is the file owned by root? Both of those conditions must be met.
If it ain't broke, I can fix that.
0 Kudos
Reply
kamal_15
Regular Advisor

‎04-10-2005 06:38 AM

‎04-10-2005 06:38 AM

Re: about setuid

bin is the owner of file useradd
/usr/sbin/useradd.
-r-xr-xr-x 1 bin bin 53248 May 12 1998 useradd.
and my script file :
-rwsr-xr-x 1 root informix 76 Apr 10 20:22 DBstat.

0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-10-2005 06:45 AM

‎04-10-2005 06:45 AM

Re: about setuid

Have you su-ed to another user inside this script so that you are no longer root?

If it ain't broke, I can fix that.
0 Kudos
Reply
kamal_15
Regular Advisor

‎04-10-2005 07:07 AM

‎04-10-2005 07:07 AM

Re: about setuid

hi all
there is something i can't understand it.

my login name is kamal.
when i tryed to execute command (useradd).
i recieved messege : Permission Denied.

i goto /usr/sbin and make the following :
1-chown root useradd
2-chmod 4755 useradd

now i can execute command useradd under my user.
but the problem is any user can execute this command also.
when i tryed before to put this command in file .and setuid to this file to root.
i recieved messege :permission denied.

i want to leave file useradd without any changes . and make file contain command (useradd) and setuid to this file.

is that possipole?
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-10-2005 12:36 PM

‎04-10-2005 12:36 PM

Re: about setuid

You have now seen why setuid scripts are so dangerous. When root owns a setuid script and the permissions allow for anyone to execute it then anyone can do this dangerous task. You could put some logic in your script to determine who the user is but the better approach is to use sudo. It will safely give you the accesss you are looking for.
If it ain't broke, I can fix that.
0 Kudos
Reply
kamal_15
Regular Advisor

‎04-10-2005 08:14 PM

‎04-10-2005 08:14 PM

Re: about setuid

my simple question is:

can i write script contain one command executed only by root(for ex: useradd)

and setuid for this script.
and run this script under any user except root?

i tryed to do that but i recieved messege :
permission denied.

is there any thing i gorget?
thankx
0 Kudos
Reply
KapilRaj
Honored Contributor

‎04-11-2005 02:11 AM

‎04-11-2005 02:11 AM

Re: about setuid

sudo
sudo
sudo
sudo

You have already tweaked the os binaries and their permissions , never do that..

for others, does setuid work for shell scripts ?

Regds,

Kaps
Nothing is impossible
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎04-11-2005 02:19 AM

‎04-11-2005 02:19 AM

Re: about setuid

Yes, setuid works on shell scripts.


Pete

Pete
0 Kudos
Reply
Gary L. Paveza, Jr.
Trusted Contributor

‎04-11-2005 02:55 AM

‎04-11-2005 02:55 AM

Re: about setuid

If you're just doing lvdisplay, then just fully quality it /usr/sbin/lvdisplay. Root permissions are not required to run this command. Any user can.
0 Kudos
Reply
Emil Velez
Honored Contributor

‎04-11-2005 10:01 AM

‎04-11-2005 10:01 AM

Re: about setuid


I would suggest that you consdier the Restricted Sam builder. You can add a script to be executed by sam using whatever userid and you can add scripts or programs to sam and specify what userid can run specific entries in sam. It is a good functionality that provides full logging.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.