HPE Community
Operating System - Linux
1820355 Members
2744 Online
109623 Solutions
New Discussion юеВ

Howto properly setuid to a shell script?

 
Naru
New Member

тАО09-27-2010 02:32 PM

тАО09-27-2010 02:32 PM

Howto properly setuid to a shell script?

Hello all,

I just found this forum via google while searching for how to convert shell scripts to binary, but it looks more than that ;)

I've read a post here in forums , someone said theres a good way how to setuid scripts instead of converting it to binary.

I've just made a script on automating check/restart for a service called cccam, and I setuid to it, and it works well.I also attached it if you want to take a look at it.

But if there's a better way , please share :).
0 Kudos
Reply
5 REPLIES 5
Matti_Kurkela
Honored Contributor

тАО09-28-2010 12:21 AM

тАО09-28-2010 12:21 AM

Re: Howto properly setuid to a shell script?

Using setuid with shell scripts is generally not recommended. If the system is configured to allow setuid shell scripts, a regular user can usually fool the script into running anything the user wants.

There are many ways to do this; one of the simplest is to manipulate PATH or other environment variables, so that the script will run the user's malicious commands/scripts instead of the standard system commands.

Another common way would be to specify unexpected characters in script arguments or other input, but since your script takes no input from the user and uses no command line arguments, your script should be immune to that at least.

If you need to run a script as a different user, a better way is to use the "sudo" command: it will enforce a standard set of environment variables and strip away the rest, so it will be much harder to fool the script.

But I have to ask: what exactly are you trying to achieve with converting shell scripts to binary and/or with setuid scripts? What is the actual requirement you're trying to fulfill with these methods?

MK
MK
0 Kudos
Reply
Naru
New Member

тАО09-29-2010 06:35 AM

тАО09-29-2010 06:35 AM

Re: Howto properly setuid to a shell script?

I am trying to daemonize the script I attached on the 1st post, even if the machine is rebooted, it should be started at startup.

How I realized this is, I've added it to the rc.local , and while the machine was running I used : setuid script.sh .

My first try was with nohup script.sh & , but this didnt work very well for me , as the scripts generates some logs based on the service status, and nohup forces the logs to go to nohup.out.Even if I specify nohup script.sh somelogs.txt & , it still doesn't meet my requirements, because the script generates the logs on different files based on the service status.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО10-02-2010 04:11 PM

тАО10-02-2010 04:11 PM

Re: Howto properly setuid to a shell script?

>nohup forces the logs to go to nohup.out

nohup will only redirect stdout and stderr if not already redirected. You also can have the script write directly to a log file.

>kill `pidof cccam` 2&>1 /dev/null

Is this valid bash? In a real shell you use:
kill `pidof cccam` > /dev/null 2>&1
0 Kudos
Reply
Naru
New Member

тАО10-03-2010 11:10 PM

тАО10-03-2010 11:10 PM

Re: Howto properly setuid to a shell script?

I just noticed that bit, must have been a mistake, but that was just to keep the output clean, I won't get the 'process killed' message after the process is killed or the process doesn't exist message.

I did redirect the logs by this:

echo "`date +%D-%T` Check: Failed ..restarting" >> $log

If I use nohup, all will go to nohup.out instead of the log file I specified.

$log is declared at the beginning of the script.
0 Kudos
Reply
Naru
New Member

тАО10-06-2010 10:26 AM

тАО10-06-2010 10:26 AM

Re: Howto properly setuid to a shell script?

I'm sorry, I must have confused most of you with my question, because I've made a small mistake instead of saying setsid , i've asked for setuid ( which is completely a different thing, I know ).

Now, I must ask you to replace everything that is setuid with setsid.Now that I cleared that up, I hope the moderators can edit my Subject of this thread too.

Thanks, and sorry for the confusion.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.