HPE Community
Operating System - HP-UX
1821648 Members
3058 Online
109633 Solutions
New Discussion юеВ

what is difference betweem mode 4555 and 555

 
SOLVED
Go to solution
Hanry Zhou
Super Advisor

тАО03-23-2004 06:26 AM

тАО03-23-2004 06:26 AM

what is difference betweem mode 4555 and 555

I have a script, and if I set the permission to be "4555",and owned by "root", then the command "whoami" will get the result of "root", no matter who actunally runs it.
This is not what I want, so I am think change the permission of the script to "555". Is there any differences between these two permissions? and Should I do this change?

thanks.
none
0 Kudos
Reply
11 REPLIES 11
A. Clay Stephenson
Acclaimed Contributor

тАО03-23-2004 06:32 AM

тАО03-23-2004 06:32 AM

Re: what is difference betweem mode 4555 and 555

Octal 4000 is the setuid bit. For true executables, it enables the process to become the user matching the owner of the file. Eventhough shell scripts are not truly executable, the shell adopts this convention as well (unlike Perl, for example) and enables setuid behavior. This is considered extremely dangerous in Shell scripts and should be avoided unless there is a compelling need. Moreover, there is no guarantee that setuid behavior will continue to be supported or that it is supported if you move to a different platform.

Man 2 chmod for details.
If it ain't broke, I can fix that.
0 Kudos
Reply
Michael Schulte zur Sur
Honored Contributor

тАО03-23-2004 06:32 AM

тАО03-23-2004 06:32 AM

Re: what is difference betweem mode 4555 and 555

Hi,

from the man pages of chmod:
4000 (= u=s) Set user ID on file execution (file only)
meaning 4555 runs the programme as owner, in your case root.

greetings,

Michael
0 Kudos
Reply
Sundar_7
Honored Contributor

тАО03-23-2004 06:33 AM

тАО03-23-2004 06:33 AM

Solution

Re: what is difference betweem mode 4555 and 555

I think you probably already know the answer :-)

Mode 4555 means set uid - which means the process will take the previleges of the owner of the executable irrespective of who creates the process. There is something called Effective UID and real UID. In this case real UID is the user who executes the script and effective UID is the owner of the script which is root in this case.

/usr/bin/passwd is the classical example of SUID binary in the system which allows normal users to change the password in /etc/passwd (or /tcb/files/auth/x/XXX) which is usually r--r--r--

you have other modes too 2xxx and 1xxxx

2xxx = set GID

1xxx = sticky bit.

- Sundar.
Learn What to do ,How to do and more importantly When to do ?
Reply
Hanry Zhou
Super Advisor

тАО03-23-2004 06:41 AM

тАО03-23-2004 06:41 AM

Re: what is difference betweem mode 4555 and 555

Sundar,

How do I get the real user id in the script, the id who execute the script?
none
0 Kudos
Reply
Michael Schulte zur Sur
Honored Contributor

тАО03-23-2004 07:07 AM

тАО03-23-2004 07:07 AM

Re: what is difference betweem mode 4555 and 555

Hanry,

whoami is fine.

greetings,

Michael
0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО03-23-2004 07:13 AM

тАО03-23-2004 07:13 AM

Re: what is difference betweem mode 4555 and 555

try:

who am i

instead of whoami

MYUSER=`/usr/bin/who am i|awk '{ print $1}'`
echo "hello $MYUSER"


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
Hanry Zhou
Super Advisor

тАО03-23-2004 07:39 AM

тАО03-23-2004 07:39 AM

Re: what is difference betweem mode 4555 and 555

Geoff,

U did not get what I am asking

if I have set the permission to be 4555 on my script xyz, then the result of whoami will be "root", no matter who is actually running it.

So, my quetion is how to get the uid in the script xyz, and the id is the one who I running the script, not the "root".
none
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО03-23-2004 07:48 AM

тАО03-23-2004 07:48 AM

Re: what is difference betweem mode 4555 and 555

Have another look at Geoff's response.

Note the spaces in the command 'who am i'. There is a difference between 'whoami' and 'who am i'.

I just ran a quick test on a script with 4555 permissions and root as the owner.

Here is the script:

# ll test
-r-sr-xr-x 1 root sys 108 Mar 23 14:45 test*

# cat test
#!/usr/bin/sh
WHOAMI=$(whoami)
echo "whoami = ${WHOAMI}"
WHO_AM_I=$(who am i)
echo "who am i = ${WHO_AM_I}"

Here is the output when run as user wallekp:

$ ./test
whoami = root
who am i = wallekp pts/39 Mar 23 14:43
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО03-23-2004 07:50 AM

тАО03-23-2004 07:50 AM

Re: what is difference betweem mode 4555 and 555

That is exactly right, whoami displays the EFFECTIVE USER whereas who am i (which is a completely different command) displays real user (actually its best guess).



If it ain't broke, I can fix that.
Reply
Sundar_7
Honored Contributor

тАО03-23-2004 08:18 AM

тАО03-23-2004 08:18 AM

Re: what is difference betweem mode 4555 and 555

Hi,

You can use an alternate method as well

Within the script

UNIX95= ps -p $$ -o uid,ruid | grep -v UID | read EF REAL

EF holds the effective user ID

RUID - Real user ID

Thanks,

Sundar
Learn What to do ,How to do and more importantly When to do ?
Reply
Mike Stroyan
Honored Contributor

тАО03-24-2004 06:47 AM

тАО03-24-2004 06:47 AM

Re: what is difference betweem mode 4555 and 555

You can get the effective uid with 'id -u' and the real uid with 'id -u -r'.

Setuid scripts are very dangerous. Most shells can be coerced to run whatever you want by setting environment variables that affect their behavior. A setuid script is an invitation to hack it.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.