HPE Community
Operating System - HP-UX
1846611 Members
1566 Online
110256 Solutions
New Discussion

Re: Shell Script using set-owner-id

 
SOLVED
Go to solution
Lawrence Mahan
Frequent Advisor

‎08-25-2000 02:14 PM

‎08-25-2000 02:14 PM

Shell Script using set-owner-id

I am trying to create a script that will execute command as another user. I created my script, chmod +s,-w and changed ownership to the new-owner. When the script runs is creates files with the new-owner but when it executes the needed command I get a error that the command must be executed by new-owner. It will not run the commands as the new-owner. What am I missing???
0 Kudos
Reply
7 REPLIES 7
Alan Riggs
Honored Contributor

‎08-25-2000 02:42 PM

‎08-25-2000 02:42 PM

Re: Shell Script using set-owner-id

What is the command you are trying to run inside the script?

The fact that files are created under the new owner demonstrates that the setuid is functioning. The fact that your other program does not accept the newid implies that it is using a form of authentication which bypasses a change of userid. If you su to the newuser does the program work? If not, it may be checking the logname rather than the active userid (who am i rather than whoami).
0 Kudos
Reply
Lawrence Mahan
Frequent Advisor

‎08-25-2000 03:03 PM

‎08-25-2000 03:03 PM

Re: Shell Script using set-owner-id

This script does run properly when run by the new-owner. I am trying to run 'informix' tbtape commands so I need the script to be owned by either 'root' or 'informix' for the commands to work. However do to the security requirments of the customer I can not have the login that starts the commands be 'informix' or an 'informix' synonym.
0 Kudos
Reply
Tim Malnati
Honored Contributor

‎08-25-2000 06:30 PM

‎08-25-2000 06:30 PM

Re: Shell Script using set-owner-id

The users running the commands have to have execute permissions on this file also. Permissions should look like -rwsr-x---. The users involved need to have permissions in either /etc/passwd or /etc/group for the same group as the process. To prevent requiring the use of newgrp if this group is not their standard group, either link /etc/logingroup to /etc/group or explicidly permit them in /etc/logingroup also.
0 Kudos
Reply
John Palmer
Honored Contributor

‎08-26-2000 04:30 AM

‎08-26-2000 04:30 AM

Re: Shell Script using set-owner-id

Larry,

Alan Riggs is correct in stating that the problem is in the way that the target program is checking which user it is running as.

The suid technique changes the 'effective uid' of the process but not the 'real uid'. If the program checks the 'real' rather than the 'effective' uid then it isn't going to work. An example of this is the command 'lvsplit' which insists on being run as 'real' root, you can't run it from a root suid script.

One way around this is to have a 'daemon' process running as the required uid which communicates with your process (via signal or named pipe) and issues the required command or script. The security issues of this need to be considered carefully though.

Hope this helps,
John
0 Kudos
Reply
Jacques Simon
Advisor

‎08-28-2000 12:37 AM

‎08-28-2000 12:37 AM

Re: Shell Script using set-owner-id

One (simple) way of solving this problem is to use:
su - -c "<script to be executed as user user1>"
in a script that is executed as user root.
This has also the advantage that the rigth environment is automaticaly set thru execution of profiles.
But if the initial script (the one executed as user root) is started by cron, you must beware of "terminal commands" (like stty and tset) in those profiles!
0 Kudos
Reply
Anthony deRito
Respected Contributor

‎08-28-2000 05:56 AM

‎08-28-2000 05:56 AM

Solution

Re: Shell Script using set-owner-id

Larry,

You cannot use SUID to root on a shell script. HP recommends doing the following:

1. Create a simple C proigram that contains the calls you need to make. Call it setuid_shell.c

2. Compile the program using:
cc setuid_shell.c -o setuid_shell

3. Change the permission and set the user id by typing:
chmod 4777 setuid_shell

4. Change the owner to root by typing:
chown root setuid_shell

Now, the user can run this program as if they were the root user.


Tony

Reply
Alan Riggs
Honored Contributor

‎08-28-2000 07:14 AM

‎08-28-2000 07:14 AM

Re: Shell Script using set-owner-id

Have you tried implementing sudo? It is fully configureable and would allow you to define a set of users who can execute only this program with root/informix authority.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.