HPE Community
Operating System - HP-UX
1831343 Members
3501 Online
110024 Solutions
New Discussion

setuid problem

 
SOLVED
Go to solution
gigiz
Valued Contributor

‎08-01-2007 11:27 PM

‎08-01-2007 11:27 PM

setuid problem

Hi ,
i have a question ...
I use setuid with a my script for a user.
The script belong to oracle:oinstall and have this permission :
-rwsr-sr-x 1 oracle oinstall 22 Aug 8 12:49 pippo.sh
I launch this script with user test.
If i chek whith ps -ef :

ps -ef |grep -i pippo.sh
test 8484 8461 0 13:54:39 pts/tb 0:00 /bin/ksh ./pippo.sh
test 8504 8461 1 13:54:54 pts/tb 0:00 grep -i pippo.sh
I look that the process belong to test user and not oracle.
In SOLARIS this same test of setuid , and the process belong to oracle.

Thereis a procedure o configuration file or parameter in hpux for setuid to have a same solaris result


HELP me MANY POINT at all
0 Kudos
14 REPLIES 14
James R. Ferguson
Acclaimed Contributor

‎08-01-2007 11:44 PM

‎08-01-2007 11:44 PM

Re: setuid problem

Hi:

HP-UX doesn't allow 'setuid' scripts by default. If you want to use this technique, you must create a 'setuid' C-wrapper around your script.

See here for more information:

http://docs.hp.com/en/B2355-60105/secure_sid_scripts.5.html

Regards!

...JRF...
0 Kudos
Ralph Grothe
Honored Contributor

‎08-02-2007 12:37 AM

‎08-02-2007 12:37 AM

Re: setuid problem

What about the slightly more comfortable wrapper sudo?

Can be found as part of the Internet Express,
installs in a minute, and another 3 minutes for editing your "wrapper" rule.

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111
Madness, thy name is system administration
0 Kudos
gigiz
Valued Contributor

‎08-02-2007 01:17 AM

‎08-02-2007 01:17 AM

Re: setuid problem

Ok
but JAMES,
how i use the setuid script ???
help me step by step thanks
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎08-02-2007 01:48 AM

‎08-02-2007 01:48 AM

Re: setuid problem

Hi:

If you wish to use the example provided in the manpage link in my post, copy the code therein into a secure place and change the define to specify *your* script's absolute path (e.g. '/usr/local/bin/pippo.sh'). If the modified code were called "pippo.c" compile it:

# cc ./pippo.c -o ./pippo

...Then set the setuid and setgid bits as yuo have shown in your post:

# chown oracle:dba ./pippo
# chmod 6555 ./pippo

Now, when you execute './pippo' you will be running a setuid/setgid shell script '/usr/local/bin/pippo.sh'.

As Ralph noted, 'sudo' is a good alternative to this, though.

Regards!

...JRF...
0 Kudos
gigiz
Valued Contributor

‎08-02-2007 02:37 AM

‎08-02-2007 02:37 AM

Re: setuid problem

hi JAMES, but a c script filed in compiation

#include
#include
#include
#define SETUID_SCRIPT "/home/oracle/pippo.sh"

int main(int argc, char *const argv[])
{
if (strcmp(argv[1], SETUID_SCRIPT) == 0) {
execv(argv[1], argv+1);
perror(argv[0]);
} else {
fprintf(stderr, "%s is not a known setuid script\n",
argv[1] ? argv[1] : "unspecified-script" );
}
exit(1);
}


ollio-/home/oracle -> cc setto.c -o ./setto
(Bundled) cc: "setto.c", line 6: warning 5: "const" will become a keyword.
(Bundled) cc: "setto.c", line 6: error 1000: Unexpected symbol: "argv".
(Bundled) cc: "setto.c", line 6: error 1705: Function prototypes are an ANSI feature.
(Bundled) cc: "setto.c", line 8: error 1588: "argv" undefined.
(Bundled) cc: "setto.c", line 8: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 9: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 10: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 12: error 1588: "stderr" undefined.
(Bundled) cc: "setto.c", line 13: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 13: error 1528: Subscript expression must combine pointer and integer.
(Bundled) cc: "setto.c", line 13: error 1552: First expression of ?: must be arithmetic.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎08-02-2007 02:40 AM

‎08-02-2007 02:40 AM

Re: setuid problem

You should actually be glad that setuid scripts don't work. This has been a big security hole in HP-UX prior to 11.23. Setuid scripts are (and always have been) an accident waiting to happen. Of course, you can always change the value of the secure_sid_scripts tunable and your box will be just as bad as it was in the good old days.

In the strictest sense, setuid scripts should have never been functional because scripts are not true executables but rather data files for an executable --- the shell in this case.


As noted, you will need to either create a wrapper or put your command under the control of sudo. Sudo is the much better choice because you have great control over who is allowed to execute what commands and the activity is logged.

If it ain't broke, I can fix that.
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎08-02-2007 03:08 AM

‎08-02-2007 03:08 AM

Solution

Re: setuid problem

Hi (again):

Your compilation problem is due to the fact that you don't have an Ansi C compiler; only the bundled one offered free.

#include
#include
#include
#define SETUID_SCRIPT "/home/oracle/pippo.sh"

main(argc, argv)

int argc;
char **argv;

{
if (strcmp(argv[1], SETUID_SCRIPT) == 0) {
execv(argv[1], argv+1);
perror(argv[0]);
} else {
printf("%s is not a known setuid script\n",
argv[1] ? argv[1] : "unspecified-script" );
}
exit(1);
}

...should compile for you. If you compile the code and name it 'pippo' then you run it like:

# ./pippo /home/oracle/pippo.sh

...having 'chmod'ed the 'pippo' executable as I first noted.

Regards!

...JRF...
0 Kudos
Peter Nikitka
Honored Contributor

‎08-02-2007 03:16 AM

‎08-02-2007 03:16 AM

Re: setuid problem

Hi,

it's not enough to have just the kernel compiler to compile this piece of code.
If you tranfer the source file to be 'Kernighan-Richie'-compliant, it will do.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Dennis Handly
Acclaimed Contributor

‎08-02-2007 09:04 PM

‎08-02-2007 09:04 PM

Re: setuid problem

>Peter: If you tranfer the source file to be K&R-compliant

Note: K&R isn't supported on Integrity.
0 Kudos
gigiz
Valued Contributor

‎08-02-2007 09:57 PM

‎08-02-2007 09:57 PM

Re: setuid problem

1) I have a 11.11 and not a 11.23.
2) the c script work but if i do ps:

$ id
uid=114(test) gid=20(users)
$ cd /home/oracle
$ ll
total 112
drwxr-xr-x 2 oracle oinstall 96 Aug 9 10:16 TAR
-rw-rw-rw- 1 root sys 422 Aug 8 17:01 ninni.c
-rw------- 1 root sys 0 Aug 8 13:05 nohup.out
-r-sr-xr-x 1 oracle oinstall 20480 Aug 9 11:34 pippo
-rw-rw-rw- 1 root sys 423 Aug 9 11:34 pippo.c
-rwsr-xr-x 1 oracle oinstall 22 Aug 8 12:49 pippo.sh
-rw-rw-rw- 1 root sys 422 Aug 8 16:55 setto.c
$ ./pippo /home/oracle/pippo.sh &
[1] 20133
ps -ef |grep -i pippo
test 20133 20114 0 12:24:15 pts/ta 0:00 /bin/ksh /home/oracle/pippo.sh
test 20141 20114 1 12:24:31 pts/ta 0:00 grep -i pippo

i need that this process process belong to oracle user ...
thanks
and a poin at the finish .
0 Kudos
Peter Nikitka
Honored Contributor

‎08-02-2007 10:16 PM

‎08-02-2007 10:16 PM

Re: setuid problem

Hi,

the ps-output may be meaningless and NOT telling you the EUID. Add something like
rm -f /tmp/newfile
touch /tmp/newfile
ls -l /tmp/newfile

in your script and check the permissions for correctness.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Dennis Handly
Acclaimed Contributor

‎08-02-2007 10:20 PM

‎08-02-2007 10:20 PM

Re: setuid problem

test 20133 20114 0 12:24:15 pts/ta 0:00 /bin/ksh /home/oracle/pippo.sh

>i need that this process process belong to oracle user

It does. ps(1) returns the original real user and not the effective user.

Have your script use id(1) to check.

Note the ps -u option works differently depending on whether you use UNIX95= or not.

Note you can customize ps with UNIX95= by displaying both USER and RUSER.

$ UNIX95= ps -ef -opid,user,ruser,args
0 Kudos
Dennis Handly
Acclaimed Contributor

‎08-02-2007 10:27 PM

‎08-02-2007 10:27 PM

Re: setuid problem

>Note you can customize ps with UNIX95= by displaying both USER and RUSER.
$ UNIX95= ps -ef -opid,user,ruser,args

Hmm, it seems that just by using UNIX95= ps(1) displays the effective ID. I don't see a difference between user and ruser when I use a sudo-like tool to run that ps. I just get root. Hmm, it happens even without UNIX95??)
0 Kudos
gigiz
Valued Contributor

‎08-03-2007 02:31 AM

‎08-03-2007 02:31 AM

Re: setuid problem

ok
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.