Operating System - HP-UX
1839244 Members
2281 Online
110137 Solutions
New Discussion

Re: sticky bit doesn't work

 
SOLVED
Go to solution
Ridzuan Zakaria
Frequent Advisor

sticky bit doesn't work

Hi,

I have written a script myscript.sh that should only run by oracle id.

However I want to let other users run the script by su to oracle id.

The only way to su to oracle id without having to enter password is through root id.

So what I did was I write another script suroot.sh that call myscript.sh

#!/usr/bin/sh
su oracle -c "myscript.sh"

To allow other users to run the script as root, I did the following.

chown root:dba
chmod 4510 suroot.sh

If I run the script with non-root id, it still prompt me for password. I thought by set up the sticky bit and chown to root, the script should be able to run by any user in dba group as if the are root.

Any help is greatly appreciated.

thanks
quest for perfections
8 REPLIES 8
Joseph C. Denman
Honored Contributor

Re: sticky bit doesn't work

The sticky bit has no affect on scripts. You will need to write a c program of something to make this work.

...jcd...
If I had only read the instructions first??
James R. Ferguson
Acclaimed Contributor

Re: sticky bit doesn't work

Hi:

First, I assume that you are referring to the 'setuid' bit, not the 'sticky' bit. See 'man chmod' for more details.

Second, the 'setuid' bit *does* work for scripts as long at the header interpreter (first line) reads:

#!/usr/bin/sh

Thirdly, the "problem" is that 'su' expects to be able to read the password for the account, for non-root users, from stdin.

Lastly, Joesph is correct. You would need to create a simple C-program wrapper with the setuid bit set and the code owned by "oracle" to accomplish your objective.

The usual disclaimers for setuid scripts and code apply!!!

Regards!

...JRF...
A. Clay Stephenson
Acclaimed Contributor

Re: sticky bit doesn't work

Hi,

I just happen to have such a killer setuid/setgid c program that is K&R and thus will compile on even the bundled c compiler.
Compile it like this:
cc cemexec.c -o cemexec
chown root cemexec
chmod 6755 cemexec or better
chmod 6750 cemexec.
It will run ANY script/program as whatever user/group you like.

e.g. cemexec -g dba oracle myscript.sh will be executed as user oracle group dba. The -g group is optional. Execute cemexec w/o args for usage. I warn you this is dangerous code and is a security risk but it will do what you want to do.

Regards, Clay
If it ain't broke, I can fix that.
Sridhar Bhaskarla
Honored Contributor
Solution

Re: sticky bit doesn't work

Setuid bit on scripts does work with these two conditions

-Command Interpreter (#!/usr/bin/(k)sh) and
-x only permission for group/others.

However, your script may not work as the su works with real uid which is still your_id.
Place the command "id" before su'ing to oracle. It will not give out root.

However, it works with a "c" program. Try this

main( argc, argv ) {

setuid(0);
system ("/usr/bin/su oracle -c myscript");
}

Compile it and give Setuid on root.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Ridzuan Zakaria
Frequent Advisor

Re: sticky bit doesn't work

Guys,

I really appreciate your help. I managed to make it work with all your input.

Sri,

Thanks for the sample c code.

Thanks

quest for perfections
Sridhar Bhaskarla
Honored Contributor

Re: sticky bit doesn't work

Ridzuan,

The above program is very dangerous and improper permissions can cause any tom and cat to run this script successfully that may impair the production.

So, we need to consider atmost possible security. I would suggest you to create a seperate group and keep very few people (preferably one) in it. Now give the permissions

chmod 4510 on this executable. This way others users cannot use this exe, the user in this group only can execute.

Just thought of sharing with you.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
linuxfan
Honored Contributor

Re: sticky bit doesn't work

Hi Ridzuan,

I know others have given excellent replies but was just wondering why you did not consider "sudo". You can give "specific users" the ability to run this script and it gets logged anyway. and you avoid the setuid or setgid scripts.

sudo allows you regular users to run scripts as root or as any other user provided you have allowed them to.

In any case you can get sudo binaries from

http://hpux.ee.ualberta.ca/hppd/hpux/Sysadmin/sudo-1.6.2b1/

Just my thoughts

-Regards
Ramesh
They think they know but don't. At least I know I don't know - Socrates
Joseph C. Denman
Honored Contributor

Re: sticky bit doesn't work

King James, as always, is correct again!!!

Learn something new everyday.


...jcd...
If I had only read the instructions first??