I thought linux wouldn't allow suid shell scripts to work as suid. The reasoning is a shell script doesn't quite execute, it gets interpeted by the command on the first line. Just as a test I made a simple script modded root.root 4755 that consists of the /bin/bash line, and cat /etc/shadow. Root can run just fine obviously, but permissions don't exist for other users to do that.
What may work a little better is either chmod s+x `which shutdown`, or writing a C wrapper and modding that s+x. On 7/20/05, Mark Knecht <[EMAIL PROTECTED]> wrote: > On 7/20/05, Richard Fish <[EMAIL PROTECTED]> wrote: > > Mark Knecht wrote: > > > > >Hi, > > > I'm trying to get my mythfrontend box to allow a user to shut the > > >machine down without the use of a keyboard. We are only using remote > > >controls. suso doesn't seem to be an option because it requires a > > >password. (AFAICT) > > > > > > Is there some other way that I could make this work? > > > > > > > > > > > > > 2 options: > > > > 1. Sudo can be setup to allow some commands to be run without a > > password. I think this entry in /etc/sudoers should work: > > > > mythtv ALL = NOPASSWD: /sbin/shutdown > > Yes, I have this working. My problem with this solution was slightly > deeper. To get MythTV to execute this command I have to put 'sudo > shutdown -h now' in a setup screen within the setup portion of > mythfrontend. In a general sense I don't know how to do that without a > keyboard being attached to the machine. So far I haven't found where > MythTV stores this information so that I could edit it from an ssh > login. > > Granted I can attach a keyboard for a few minutes when the machine is > here at my house, but I'm hesitant to use a solution that I cannot fix > via ssh when the machine is remote at my folks house. > > > > > I have not tested this, so if something goes wrong, you'll have to try > > and figure out "man sudoers". > > > > 2. Create a setuid (chmod 4711 /sbin/shutdown_by_anyone.sh) shell script > > that runs shutdown. Be sure to export the PATH, and unset LD_PRELOAD > > and LD_LIBRARY_PATH variables at the very beginning of the script. Also > > make sure the interpreter line is "/bin/bash --". This doesn't fix all > > of the security holes with setuid shell scripts, just the most common > > and easiest to fix... > > I don't know how this is much of a security issue for me, but then > again I don't know much about security, and I suppose it could be if > someone plugs a keyboard in and wants to cause some harm. Shame on > them, but good of you to consider it. > > Thanks, > Mark > > -- > gentoo-user@gentoo.org mailing list > > -- gentoo-user@gentoo.org mailing list
