View previous topic :: View next topic |
Author |
Message |
Dragonlord Guru
Joined: 22 Aug 2004 Posts: 446 Location: Switzerland
|
Posted: Mon Jun 02, 2008 3:54 pm Post subject: How to make a root script properly chmod+s ? |
|
|
This is a problem bugging me since quite some time. For example I have a laptop on which I want to allow users to start the WiFi connection. This is done using a script doing various things from mugging with ifconfig, iwconfig, ipsec and eventually mounting common shares. All these operations require SU to work. I tried chown root:root on the script, chmod 755 and chmod +s but still the scripts behave as run by the user. I just want a script to be as SU that's all ( and I do not want to use sudo due to security concerns ). _________________ DragonDreams: Leader and Head Programmer |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Mon Jun 02, 2008 4:05 pm Post subject: |
|
|
You have security concerns about sudo but want to hand out suid bits for shell scripts...? |
|
Back to top |
|
|
Dragonlord Guru
Joined: 22 Aug 2004 Posts: 446 Location: Switzerland
|
Posted: Mon Jun 02, 2008 6:49 pm Post subject: |
|
|
The reason is simply that with sudo I have to grant users access to various system tools. With the suid script I only need to give access to the script ( something nobody except the root can change anyways ). So I consider this more save since it has only one point of failure whereas with sudo I have multiple points of failures. Don't know how this is with you but I consider the suid script less dangerous in that case. _________________ DragonDreams: Leader and Head Programmer |
|
Back to top |
|
|
yabbadabbadont Advocate
Joined: 14 Mar 2003 Posts: 4791 Location: 2 exits past crazy
|
Posted: Mon Jun 02, 2008 9:52 pm Post subject: |
|
|
suid only applies to binaries. It will not work with scripts. (at least it never has on any version of Unix/Linux I have used in the last 15 years... ) |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9691 Location: almost Mile High in the USA
|
Posted: Mon Jun 02, 2008 10:32 pm Post subject: |
|
|
A long time ago SUID scripts worked. But this is a hole because it's fairly trivial to get a script to do something improper (environment variables, bad argument checking). Thus all Un*x and Linux have suid scripts disabled.
If you _must_ use a SUID script, you'll need to write a C wrapper program that calls the script, sanitizing all arguments and environment before calling the script. Something like this would work but may be unsafe:
Code: | #include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#define REAL_PATH "/full/absolute/path/to/your/script"
main(int ac, char **av) {
struct stat data;
if (stat (REAL_PATH, &data)) {
perror("stat");
} else {
execv(REAL_PATH, av);
};
}
|
_________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Mon Jun 02, 2008 10:33 pm Post subject: |
|
|
You can use sudo and allow only your script to be executed with it. You still have to be very careful about how you write the script. Since usually in a script you execute anything that is in your path, it is possible for users to gain root access by tricking the script to execute something it's not actually meant to. |
|
Back to top |
|
|
tgR10 Apprentice
Joined: 23 Oct 2007 Posts: 262 Location: caly ten ambaras
|
|
Back to top |
|
|
Dragonlord Guru
Joined: 22 Aug 2004 Posts: 446 Location: Switzerland
|
Posted: Tue Jun 03, 2008 2:20 am Post subject: |
|
|
The question is if sudo is prone to chroot attacks. In my script all path are absolute path so nothing can go wrong... that is unless somebody puts up a well chroot. But this leaves open the question if sudo is prone to a similar attack. If not it might be the better idea to do the sudo trick although much more complicate ( as mentioned, i need various sys-tools like ifconfig and /etc/init.d/* scripts ). That write-wrapper-app trick though sounds interesting too. I could even write the entire script in C instead and just call the tools from there. _________________ DragonDreams: Leader and Head Programmer |
|
Back to top |
|
|
|