HPE Community
Operating System - HP-UX
1833241 Members
3047 Online
110051 Solutions
New Discussion

SetUID behavior

 
SOLVED
Go to solution
Marie-Josee Cormier
Advisor

‎03-20-2007 07:37 AM

‎03-20-2007 07:37 AM

SetUID behavior

Is this normal behavior?
We have the SetUID on a file, so we want users to run it, to run it as ftpuser.

Like you can see, runing the whoami command shows it works, displaying ftpuser.

Here's a few tests commands..

[root@ACME /home/test/] ls -Fla test.sh
-rwsr-xr-x 1 ftpuser sys 49 Mar 20 16:24 test.sh*


[root@ACME /home/test/] cat ./test.sh
#!/usr/bin/sh
cd /userdisk/prod/msweb
pwd
whoami

[root@ACME /home/test/] ./test.sh
./test.sh[2]: /userdisk/prod/msweb: Permission denied.
/home/test
ftpuser

[root@HPUNIXA /home/test/] su ftpuser
[u@h /home/test/] cd /userdisk/prod/msweb
[u@h /userdisk/prod/msweb/]

[u@h /userdisk/prod/msweb/] id ftpuser
uid=xxx(ftpuser) gid=xxx(dti)

[root@ACME /userdisk/prod/] ls -Fla | grep msweb
drwxrws--- 3 appsfcpa dti 96 Jul 28 2005 msweb/

Is this normal behavior?

Hope this is not too much confusing..

Thanks!
0 Kudos
4 REPLIES 4
A. Clay Stephenson
Acclaimed Contributor

‎03-20-2007 08:03 AM

‎03-20-2007 08:03 AM

Solution

Re: SetUID behavior

This is a little hard to follow but /userdisk/prod/msweb does not have search permission for user ftpuser. Although the group permission allow group dti, you have only done a setuid not a setgid. Set both the setuid and setgid bits on your script.

I must say that setuid scripts are something that should really, really be avoided because they are a security hole you can drive a truck through. This is the sort of thing that is much better done with sudo or at least a setuid C program. I don't allow setuid scripts on any of my boxes and on those OS versions where setuid scripts can be disabled in the kernel, I disable them.
If it ain't broke, I can fix that.
0 Kudos
Ivan Krastev
Honored Contributor

‎03-20-2007 08:08 AM

‎03-20-2007 08:08 AM

Re: SetUID behavior

Sript have owner ftpuser and group sys, but folder is with appsfcpa.dti. When you switch to user ftp your group is changed to dti and all is ok.

Try to change group ownership of script to dti.

regards,
ivan
0 Kudos
Marie-Josee Cormier
Advisor

‎03-21-2007 12:01 AM

‎03-21-2007 12:01 AM

Re: SetUID behavior

Ok, sorry for the unclear post.

I though than when a script was executed with a SetUID, you were inheriting is group security as well.

Maybe I should explain what we wanted to do. We often need to transfer files to different ftp sites. We wanted those ftp sites access(user and pass) to remain secret even to user who executed those scripts.

So we created a .netrc file on our ftpuser user, wich contains a database of ftp sites, users and pass.

So when executing the putftp script, it was run as this ftpuser.

Sounds more complex than it is, i'm just not good at puting idea on text! : )

Anyway, thanks for your help, i'll look for another way.

Thanks

0 Kudos
Marie-Josee Cormier
Advisor

‎03-21-2007 12:17 AM

‎03-21-2007 12:17 AM

Re: SetUID behavior

Ok, I now understands SetUID better. It runs as the owner of the script, but the group security is still the executer of the script.

Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.