[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] running as root
>
> Just kidding... 'chmod +s [file]' sets the 's' bit (bet you never knew
> about that?), which means 'Run me as root'. Or, 'Let me do what the heck I
> please' ;))
>
Unless Linux's system has changed recently, set-uid scripts *won't* work -
they're considered a huuuuuuuuuuuuuuuuuuge security hole. Which they are,
when you know how to get round them. Race type conditions are ripe :) Try it
yourself - a script with two lines:
#!/bin/sh
id
chown root.root then chmod 4755, and run it.
id will return your user ID, not roots, which it would do if it was running
as root.
The best thing to do is to use sudo to run the script, or, if you *know* the
script is secure, create a C wrapper for it along the lines of:
main()
{
system ("/usr/bin/myshellscript");
return 0;
}
(remember header files, checking return codes and the like), build the
program and chmod that 4111 (or 4110 if you want to restrict who can run it
and you've set the groups up okay).
> > i.e. a user script calling a script with root privalages (bit like users
> > running 'ip-up' when using dial-up connections)
>
> For this kind of thing, I guess it's okay, but remember running as root in
> general is not /fabulous/, and you instantly loose any Linux Guru points
> that you might have accumulated ;)
>
It depends what you want to do in the script really :) Processing log files
can be done with a simple permissions change; scripts to addusers should
really be written in C or Perl (with sperl) and have silly amounts of sanity
checks. If its admin stuff, look at setting up sudo. If its on a multi-user
box and you trust your users (ie, you'd give them the root password happily),
then its a non-issue. If you don't trust your users, then careful how you go
:)
Chris...
--
@}-,'-------------------------------------------------- Chris Johnson --'-{ [at]
/ "(it is) crucial that we learn the difference / sixie [at] nccnet.co.uk \
/ between Sex and Gender. Therein lies the key / \
/ to our freedom" -- LB / www.nccnet.co.uk/~sixie \
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.