HPE Community
Operating System - HP-UX
1847072 Members
5351 Online
110262 Solutions
New Discussion

Re: permissions problem using setuid

 
Raynald Boucher
Super Advisor

‎03-18-2008 10:39 AM

‎03-18-2008 10:39 AM

permissions problem using setuid

Hello all,
here is one for the teachers.

I have a log directory /var/logs/oracle (775) and files within it all owned by "oracle:batchgrp" with 664 permissions.

Group "batchgrp" includes user "batchrun".
Shared executable "astsql" has the following permissions (notice the setuid):
-r-sr-xr-x 1 batchrun batchgrp

How come script "astsql" fails to write to the log directory when run by user "oracle" (unless user "oracle" is also part of group "batchgrp").

User oracle owns the files and user batchrun belongs to group "batchgrp" which has write permissions on the files.

I know I have a solution but I don't understand why?

Thanks

RayB
0 Kudos
Reply
4 REPLIES 4
James R. Ferguson
Acclaimed Contributor

‎03-18-2008 10:55 AM

‎03-18-2008 10:55 AM

Re: permissions problem using setuid

Hi Ray:

On one hand you say, "Shared executable "astsql". Then you say, "script "astsql".

Setuid *binaries* work whereas setuid *scripts* will may not. On 11.23 and later, you must set the kernel parameter 'secure_sid_scripts' appropriately for setuid *scripts* to function.

http://docs.hp.com/en/B3921-60631/secure_sid_scripts.5.html

Regards!

...JRF...
0 Kudos
Reply
Raynald Boucher
Super Advisor

‎03-18-2008 11:16 AM

‎03-18-2008 11:16 AM

Re: permissions problem using setuid

My error, it is a shared executable and we are running 11.11:
$ ll astsql
-r-sr-xr-x 1 batchrun batchgrp 24576 Jul 28 2005 astsql
$ file astsql
astsql: PA-RISC1.1 shared executable dynamically linked -not stripped
$

It's a c program that finds a username/password and runs a sql script using sqlplus.
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎03-18-2008 01:21 PM

‎03-18-2008 01:21 PM

Re: permissions problem using setuid

your suid bit is only set for uid.

oracle with run as uid batchrun but still have the same oracle default group. What group(s) is oracle uid a member of ? If not batchgrp then set the guid bit or just add oracle user to the batchgrp and control the file creation by setting guid on the directory to force all file creation to batchgrp.


0 Kudos
Reply
Raynald Boucher
Super Advisor

‎03-19-2008 04:38 AM

‎03-19-2008 04:38 AM

Re: permissions problem using setuid

Tim,

I know making oracle part of the batchgrp group will work.
But I'm trying to understand:
- why user oracle has to be member of the batchgrp eventhough it owns the target file and directory
- why user batchrun cannot update a file even though it belongs to a group that can.

This is a concept question and I can't find a manual that explains it clearly.

Thanks

RayB
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.