SUID and Shell scripts
Nik Simpson
nik at b11.ingr.com
Tue May 16 18:21:54 AEST 1989
>From article 277 in alt.sources
>>Bryan R. Davies, AT&T Bell Labs
>>IH 55314 4H-332 x3669 att!ihlpy!bdavies
>>
>>Finally, create a shell script (or binary) in your bin directory that
>>others must execute prior to accessing your files. You can add logging
>>information into a file somewhere, do menu driven stuff, or whatever.
>>The trick is to do a chmod 2755 on the script. This sets the 'setgid'
>>bit on the file so that the other users who execute this command have
>>your effective group ID, and can access files as per the group settings
>>that you have set up.
>>
This discussion originated in alt.sources, however comp.unix.questions
seems a more appropriate forum to continue it.
The suggested use of a shell script needs some clarification,
using the suid bit on a shell script has no effect on the effective id
of the person executing the shell.
Try writing the following script
echo "current id is `id`"
With the following protections it still shows the id of the
person running the script as being unchanged.
-rwsrwsr-x 1 root stm 26 May 16 08:42 test.sh
For more information on this subject can I recommend
UNIX System Security
Pat Wood & Stephen Kochan
Hayden UNIX Books ISBN : 0-8104-6267-2
This devotes some very good coverage to the subject and includes source
for a C program to overcome SUID problems with shells.
|----------------------------------------------------------------------------|
| Nik Simpson | |
| Senior Systems Engineer | Disclaimer : |
| System Technology Marketing Group | The author denies |
| Intergraph UK Ltd. | any responsibility for |
| ph +44-793-619999x333 (voice) | anything you disagree with |
| ph +44-793-618508 (fax) | , He was on holiday at the |
| UUCP : uunet!ingr!nik | time !! |
|----------------------------------------------------------------------------|
More information about the Comp.unix.questions
mailing list