Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news
From: j@uriah.heep.sax.de (J Wunsch)
Newsgroups: comp.unix.bsd.freebsd.misc,comp.unix.misc
Subject: Re: script run as nobody with root permissions?
Date: 5 Apr 1997 15:12:11 GMT
Organization: Private BSD site, Dresden
Lines: 45
Message-ID: <5i5q4b$8jd@uriah.heep.sax.de>
References: <3343ED80.71D3C60B@giotto.dnet.it>
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
NNTP-Posting-Host: localhost.heep.sax.de
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: knews 0.9.6
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:38545 comp.unix.misc:28639
Markus Senoner <markus@giotto.dnet.it> wrote:
> I want to write a script (say: foobar) like:
No, you don't want to do this. Really. :)
> when I try to set following permissions:
>
> -rwsr-sr-x 1 root wheel foobar
Nor do you want to do this, either. There are only _very rare_
occasions where you want a program to be setuid and setgid.
Trial & error is not the best method when it comes to security.
> What do I wrong?
You try to make an `interpreted executable' set[ug]id, which the
kernel doesn't allow.
If you need set[ug]id scripts that are quite more secure (and probably
even more than poorly written set[ug]id C programs), use Perl:
#!/usr/bin/suidperl
$ENV{'PATH'} = "/bin:/usr/bin";
exec "id";
...to give you a starting point. If you, for example, omit the PATH
setting above, you'll see why i refer to them as more secure: Perl
does some rudimentary checking against the biggest mistakes. Try
system "ls *";
in a setuid Perl script as well... Perl prevents you from calling
/bin/sh (for good reasons).
--
cheers, J"org
joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)