HPE Community
Operating System - HP-UX
1833059 Members
2416 Online
110049 Solutions
New Discussion

Re: suid problem

 
SOLVED
Go to solution
sysadm_1
Valued Contributor

‎02-10-2004 11:05 PM

‎02-10-2004 11:05 PM

suid problem

Please check attachment first.

I created file /usr/bin/ra with owner root and group system.SUID is set for this file and also everybody has execute permission for this.This file containing a script to add a line in /etc/passwd file.

Now i am loggin in as a simple user (not root) and executing file /usr/bin/ra .As per my knowledge about suid,it should work like it is executed by root user and it should add line in /etc/passwd file.But here i am getting the message --"/etc/passwd: Cannot create the specified file."
Pls check attachment also

I think question is clear 4 u.Why i am getting error??

0 Kudos
Reply
17 REPLIES 17
Marco Santerre
Honored Contributor

‎02-10-2004 11:12 PM

‎02-10-2004 11:12 PM

Re: suid problem

I wonder if because of the special characters on that line, you're not getting this problem.. maybe you should put the line you echo within quotes.
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
Reply
Hoefnix
Honored Contributor

‎02-10-2004 11:17 PM

‎02-10-2004 11:17 PM

Re: suid problem

It's a strange way to edit the passwd file, but if you like to do it.

I think it has to do with that you call the binary "echo" in your script. This one has no SUID set(and you don't want to have it set!)
Or like Marco said put it between""

Regards,
Peter
0 Kudos
Reply
sysadm_1
Valued Contributor

‎02-10-2004 11:18 PM

‎02-10-2004 11:18 PM

Re: suid problem


Itried with echo with quot and without.
Same working when i logged in as root
0 Kudos
Reply
Karthik S S
Honored Contributor

‎02-10-2004 11:18 PM

‎02-10-2004 11:18 PM

Re: suid problem

It is obvious because the echo command doesn't have SUID set.

-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
sysadm_1
Valued Contributor

‎02-10-2004 11:20 PM

‎02-10-2004 11:20 PM

Re: suid problem

peter,

This is not for editing passwd file.This is sort of "hacking" .I created /usr/bin/ra when i had root passwd.Now i dont have root access in this machine.I have only simple user access.
0 Kudos
Reply
sysadm_1
Valued Contributor

‎02-10-2004 11:30 PM

‎02-10-2004 11:30 PM

Re: suid problem

karthik,

I set suid for echo command also.see permission

-r-sr-xr-x 1 bin bin 15084 Aug 8 2002 /usr/bin/echo

sysadm
0 Kudos
Reply
Mark Grant
Honored Contributor

‎02-10-2004 11:33 PM

‎02-10-2004 11:33 PM

Re: suid problem

Maybe it's because the filesystem isn't mounted with the "suid" option.

By the way, setuid scripts are really bad. I mean, really bad. Not just bad. But really bad....... not good.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
sysadm_1
Valued Contributor

‎02-10-2004 11:33 PM

‎02-10-2004 11:33 PM

Re: suid problem

$ ls -l /usr/bin/echo
-r-sr-xr-x 1 root bin 15084 Aug 8 2002 echo

$ ./ra
./ra: /etc/passwd: Cannot create the specified file.
$

still same problem
0 Kudos
Reply
sysadm_1
Valued Contributor

‎02-10-2004 11:36 PM

‎02-10-2004 11:36 PM

Re: suid problem

mark,
filesystem mounted with suid on.because already other commands in /usr/bin with suid bit on (eg:passwd command) are working perfectly.

sysadm
0 Kudos
Reply
Mark Grant
Honored Contributor

‎02-10-2004 11:58 PM

‎02-10-2004 11:58 PM

Re: suid problem

It's worth pointing out that the "echo" you are using isprobably not /usr/bin/echo but the one that is internal to the shell.

Can I suggest you look at usinmg "sudo" instead which you can get here.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.7p5/
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Ermin Borovac
Honored Contributor

‎02-11-2004 01:31 PM

‎02-11-2004 01:31 PM

Re: suid problem

Your setuid shell script doesn't work because you are missing magic header on the first line (#!/usr/bin/sh).

You can read more about it at the following URL. Especially read about security risks involved.

http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
0 Kudos
Reply
Sundar_7
Honored Contributor

‎02-12-2004 06:46 AM

‎02-12-2004 06:46 AM

Re: suid problem

Hi,

SUID works best for the binary files. To ensure a script is running under the owner of the file, the first line of the script should read

#!/usr/bin/sh

-- Sundar
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎02-12-2004 07:08 AM

‎02-12-2004 07:08 AM

Re: suid problem

Hi,

As far as I know, others shouldn't have access to the SUID *script*. Try removing read access to the ra file. Create a group and add couple of users to it and let them try. Change the group of this script to this new group.

$ ls -l /usr/bin/ra
-r-sr-x--- 1 root some_grp 50 Feb 11 14:27 /usr/bin/ra

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Jeroen Peereboom
Honored Contributor

‎02-12-2004 09:10 PM

‎02-12-2004 09:10 PM

Solution

Re: suid problem

L.S.

* if your script is SUID, it will run as root, so the echo will also be running under root. It's needless to change the protections of the 'echo' file. For some shells 'echo' is a shell built-in, so changing protection of a file of that name is irrelevant too.
* You really should specify #!/usr/bin/sh or ksh or whatever as first line.
* You really should put the string to be echoed in ''' s.

Are you really 'hacking' your way into the machine without letting the real sysadmins know?

JP.
Reply
Gary L. Paveza, Jr.
Trusted Contributor

‎02-13-2004 06:39 AM

‎02-13-2004 06:39 AM

Re: suid problem

My understanding is that scripts cannot be SETUID, only programs can. I had this type of problem when I needed our tech support to be able to reset UID and GID permissions on files. I had to write a simple c program as a wrapper to chmod and chown. Those programs were then SETUID and a script was written to call them.
0 Kudos
Reply
sysadm_1
Valued Contributor

‎02-13-2004 10:51 PM

‎02-13-2004 10:51 PM

Re: suid problem

Hi guys,
Thanks a lot for response.

there were two reasons why it was not working.
1.there were no "!/usr/bin/sh" in the starting of script.
2.Kernel parameter "secure_sid_scripts" needs to be changed to 0 from 1 (default)
I am using hp-ux 11i B.11.22

Cheers!!!!
sysadm

0 Kudos
Reply
Karthik S S
Honored Contributor

‎02-14-2004 06:14 PM

‎02-14-2004 06:14 PM

Re: suid problem

by the way setuid is not set for others for the echo command ...

-Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.