View previous topic :: View next topic |
Author |
Message |
Sujao l33t
Joined: 25 Sep 2004 Posts: 677 Location: Germany
|
Posted: Tue May 03, 2005 6:16 am Post subject: problem with suid-bit |
|
|
Hi all,
I made a script that uses a program that is only accesible by root. In order to make it more secure I wrote a bash script that launches this program with static parameters. I gave this script the SUID-Bit so that it can launch the program but it doesnt work. I dont understand why cause imho everything is set right although I must admit that this is my first attempt to use the SUID-Bit. So its probably something plain I missed while reading the SUID explanation.
I created a group called "scripts" that is allowed to run scripts.
I set the permissions to the script with:
Code: | bash-2.05b# chmod 4750 /usr/bin/ht.sh |
The attributes of the script became:
Code: | bash-2.05b# ls -lh /usr/bin/ht.sh
-rwsr-x--- 1 root scripts 92 3. Mai 08:09 /usr/bin/ht.sh |
The output when trying to run it as normal user which is in the group scripts
Code: | bash-2.05b$ /usr/bin/ht.sh
ERROR: You must be root to run the command,
ERROR: or the root must set the suid bit for the executable.
ERROR: You must be root to run the command,
ERROR: or the root must set the suid bit for the executable.
ERROR: You must be root to run the command,
ERROR: or the root must set the suid bit for the executable.
|
The script itself:
Code: | #/bin/bash
/usr/sbin/hddtemp /dev/hda
/usr/sbin/hddtemp /dev/hdb
/usr/sbin/hddtemp /dev/hdd |
EDIT: after rethinking.....are the errors telling me that i need to set the suid bit for hddtemp? Shouldnt the bash script run as root and hence be able to run hddtemp? |
|
Back to top |
|
|
zigver Tux's lil' helper
Joined: 09 May 2003 Posts: 87
|
Posted: Tue May 03, 2005 6:51 am Post subject: |
|
|
I don't think scripts will run SUID. I believe it must be a compiled binary executable.
Last edited by zigver on Tue May 03, 2005 4:03 pm; edited 1 time in total |
|
Back to top |
|
|
andrew_j_w Guru
Joined: 28 Jun 2003 Posts: 534 Location: York, UK
|
Posted: Tue May 03, 2005 9:31 am Post subject: |
|
|
A google search reveals this mailing list message which says that on Linux shell scripts do not obey the setuid bit for security reasons.
HTH,
Andrew |
|
Back to top |
|
|
Sujao l33t
Joined: 25 Sep 2004 Posts: 677 Location: Germany
|
Posted: Tue May 03, 2005 11:43 pm Post subject: |
|
|
Hmm..........wtf? Shouldnt linux leave this choise to the user? I dont see no security risks if everything is configured properly.....
Does anyone have an idea for a workaround?
I just need launch this hddtemp program but I wouldnt like to give it suid...I think this is more of a security risk than giving the suid to the script as the script is static and you cant change the paremeters for the programs you launch......Well, OK, I could give SUID to hddtemp but I wanted to suid some other progs too which I definatelly dont want to suid. Is there probably a way to open up a root bash and launch the script there? Hmm although THIS might get a real security problem. |
|
Back to top |
|
|
|