On Thu, Jul 31, 2003 at 04:44:02PM -0700, Bryan Murdock wrote: > The problem is, the setuid script doesn't seem to have the necessary > permissions if run on a Redhat box, just if run on an HP-UX box. Is > there a way to turn setuid off and on (I'm thinking it's off on the > linux box for some reason)? How do I fix it? Or is there a Better Way > to do what I'm trying to do here?
Setuid is a really interesting thing. Historically people could set any executable file to be SUID. And they did. And setuid shell scripts were a major source of root exploits. You can manipulate the environment of a program and make it do weird things. You can change the PATH so that if the script does 'ls', it will do a different ls than /bin/ls. You can also pass arguments that include special shell characters like semicolons, pipes, ampersands, etc., and the shell would happily interpret these. Even when programmers were careful to specify exact paths and to be careful about using arguments, you could always change the IFS variable. All of that is really bad stuff. So on Linux, interpreted executables (ones that start with #!) automatically drop setuid and setgid. Which is really a good thing. Many Unices don't do that, as you noticed with HPUX. If you absolutely need a setuid shell script, which I don't recommend, the only way to do it is to write a 10 line wrapper program in C, which just calls exec on your script, and then setuid the wrapper. The moral of all of this is that setuid scripts are bad, and that there is always a better way, but if you really want to shoot yourself in the foot it's your choice.
pgp00000.pgp
Description: PGP signature
____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
