HPE Community
Operating System - HP-UX
1828047 Members
1526 Online
109973 Solutions
New Discussion

Re: running "chown" within a SETUID script

 
SOLVED
Go to solution
Marc Ahrendt
Super Advisor

‎05-06-2003 05:26 PM

‎05-06-2003 05:26 PM

running "chown" within a SETUID script

i have a script that i want users to run as root, all works except the chown command fails saying "Not owner" for each file a chown is attempted against

1) i set the script permissions to 4555
2) CHOWN is set globally

i know about sudo and the fact that i can run this script as a root cronjob ...just wanting to know why chown does not work within a SETUID script

is the command "chown" not fooled by the SETUID bit?
hola
0 Kudos
Reply
9 REPLIES 9
John Poff
Honored Contributor

‎05-06-2003 05:42 PM

‎05-06-2003 05:42 PM

Re: running "chown" within a SETUID script

Hi,

Using the CHOWN privilege just allows a user to 'chown' files that belong to them. Everyone gets that by default. It sounds like your set-uid script is running as root but doesn't have the effective user ID set for root, which is what the chown call is looking for.

From the chown (2) man page:

Only processes with an effective user ID equal to the file owner or a user having appropriate privileges can change the ownership of a file. If privilege groups are supported, the owner of a file can change the ownership only as a member of a privilege group allowing CHOWN, as set up by the setprivgrp command (see setprivgrp(1M) ). All users get the CHOWN privilege by default.

You could try running the 'id' command inside of your script to see if it will report what the effective user ID is while it is running.

JP
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎05-06-2003 07:37 PM

‎05-06-2003 07:37 PM

Re: running "chown" within a SETUID script

As far I know suid chown would worked in an suid script. I did a quick little test and it worked as I expected. My script is owned by root:sys and had r-sr-xr-x permission. I then ran it as user "skchan", had a line in the script that perform a chown on a temp file in /tmp and it did it for me. Put these 2 command in your script ..
1- whoami
2- who am i
1 returns "root" as the effective uid and 2 returns "skchan". What does yours return ?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎05-07-2003 03:59 AM

‎05-07-2003 03:59 AM

Solution

Re: running "chown" within a SETUID script

Hi:

You say that "all works except the chown...". First, I agree with John and SK, if you add the 'id' command, does your script show that it has an effective uid of zero?

Make sure that you have specified the shell interpreter "she-bang":

#!/usr/bin/sh

...or...

#!/sbin/sh

Without this the script will not run as an suid script despite the permissions denoting this state.

Regards!

...JRF...
Reply
Frank Slootweg
Honored Contributor

‎05-07-2003 04:02 AM

‎05-07-2003 04:02 AM

Re: running "chown" within a SETUID script

Please realize that set-UID (and set-GID) scripts are a big security risks and *cannot* be made secure. As you yourself mention, sudo or cron are better solutions.
0 Kudos
Reply
Marc Ahrendt
Super Advisor

‎05-07-2003 09:38 AM

‎05-07-2003 09:38 AM

Re: running "chown" within a SETUID script

John: sorry i forgot to state the the script ownership is root:users

SK: thx for confirming that it should work ...i learned that "whoami" and "id" always return the real user name while "who am i" returns root as the user name

James: thx for the fix! i did not define the shell in the script ...awesome catch

Frank: can i make the SETUID script somewhat secure by setting the permissions to 4550. my thought is that if a hacker has the ability to modify this script then the hacker has the ability to do worse anyways....

FYI: below is the actual script ...James gave the fix in that i did not have this 1st line defining the shell
#!/bin/sh
cd /opt/tomcat/webapps/IDCNServlets/xml
chown webadmin:webgroup *.xml
hola
0 Kudos
Reply
Frank Slootweg
Honored Contributor

‎05-07-2003 10:02 PM

‎05-07-2003 10:02 PM

Re: running "chown" within a SETUID script

Marc, a set-UID script does not have to be writeable to be a security risk. As I said, they *cannot* be made secure, i.e. also not by making them non-writeable.
0 Kudos
Reply
W.C. Epperson
Trusted Contributor

‎05-08-2003 09:29 AM

‎05-08-2003 09:29 AM

Re: running "chown" within a SETUID script

Frank is right, but probably too busy to articulate why. Here's one discussion of how to do setuid scripts and also why you probably shouldn't:

http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
"I have great faith in fools; self-confidence, my friends call it." --Poe
0 Kudos
Reply
John Meissner
Esteemed Contributor

‎05-08-2003 09:43 AM

‎05-08-2003 09:43 AM

Re: running "chown" within a SETUID script

you can run the script as root if you use a product such as sudo or Servicecontrol Manager. These are free and secure although a little more work that I think you are looking for here. But still a good inverstment (or your time) should you choose to use either.
All paths lead to destiny
0 Kudos
Reply
Marc Ahrendt
Super Advisor

‎05-08-2003 11:50 AM

‎05-08-2003 11:50 AM

Re: running "chown" within a SETUID script

thx Frank,, WC, and John ...that link WC gave explains well why my SETUID script works OK now as James indicated and also that i should not use it!
hola
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.