|
Home > Archive > Unix administration > August 2006 > Problem with suid script
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Problem with suid script
|
|
| mrmazoo@gmail.com 2006-08-16, 1:25 pm |
| Hi,
I have a PERL script with suid permissions in the /bin directory. It's
permissions are identical to dozens of other suid programs like
/usr/bin/passwd. However, when I try to run the script I get a
permission denied error:
$ ls -al /usr/bin/passwd /bin/usage
-r-s--x--x 1 root root 4736 Aug 16 10:59 /bin/usage
-r-s--x--x 1 root root 18852 Mar 7 2005 /usr/bin/passwd
But when I try to run usage:
$ usage
Can't open PERL script "/bin/usage": Permission denied
Any ideas? I can run the script fine as root.
Thanks in advance.
-Greg
| |
| Lew Pitcher 2006-08-16, 1:25 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
mrmazoo@gmail.com wrote:
> Hi,
>
> I have a PERL script with suid permissions in the /bin directory. It's
> permissions are identical to dozens of other suid programs like
> /usr/bin/passwd. However, when I try to run the script I get a
> permission denied error:
>
> $ ls -al /usr/bin/passwd /bin/usage
> -r-s--x--x 1 root root 4736 Aug 16 10:59 /bin/usage
> -r-s--x--x 1 root root 18852 Mar 7 2005 /usr/bin/passwd
>
> But when I try to run usage:
>
> $ usage
> Can't open PERL script "/bin/usage": Permission denied
>
> Any ideas? I can run the script fine as root.
Apparently, your Unix doesn't honour the setuid bit when it is used on
a script.
FWIW, setuid scripts are known security hazards, and many systems are
configured to not honour them. You may have to find another way to
accomplish your goal for /bin/usage
HTH
- --
Lew Pitcher
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12
iD8DBQFE4z+tagVFX4UWr64RApATAKDuqEvOM92V
/GnRz60sEFnafyT6pACeIIRq
o0yJVAYfcJJIEeAmK24ahBE=
=TVO1
-----END PGP SIGNATURE-----
| |
| Jay C. James 2006-08-17, 7:18 pm |
|
"Lew Pitcher" <lpitcher@sympatico.ca> wrote in message
news:1155743668.623925.69230@m73g2000cwd.googlegroups.com...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> mrmazoo@gmail.com wrote:
>
> Apparently, your Unix doesn't honour the setuid bit when it is used on
> a script.
> FWIW, setuid scripts are known security hazards, and many systems are
> configured to not honour them. You may have to find another way to
> accomplish your goal for /bin/usage
>
> HTH
> - --
> Lew Pitcher
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12
>
> iD8DBQFE4z+tagVFX4UWr64RApATAKDuqEvOM92V
/GnRz60sEFnafyT6pACeIIRq
> o0yJVAYfcJJIEeAmK24ahBE=
> =TVO1
> -----END PGP SIGNATURE-----
Real fast and ugly short term solution is to write a setuid C wrapper that
uses
system() to run the shell script if you find yourself limited by this. Its
hacky,
and you are better off with something else, but in a pinch...
jcj
| |
| Doug Freyburger 2006-08-18, 1:33 pm |
| mrmazoo@gmail.com wrote:
>
> I have a PERL script with suid permissions in the /bin directory. It's
> permissions are identical to dozens of other suid programs like
> /usr/bin/passwd. However, when I try to run the script I get a
> permission denied error:
>
> $ ls -al /usr/bin/passwd /bin/usage
> -r-s--x--x 1 root root 4736 Aug 16 10:59 /bin/usage
> -r-s--x--x 1 root root 18852 Mar 7 2005 /usr/bin/passwd
>
> But when I try to run usage:
>
> $ usage
> Can't open PERL script "/bin/usage": Permission denied
Just checking - Is the first line like "#! /usr/bin/perl ..."?
| |
| Gregory.Geller@gmail.com 2006-08-18, 7:22 pm |
|
>
> Just checking - Is the first line like "#! /usr/bin/perl ..."?
Yes.
I found a way to do what I wanted to do without needing suid. However,
I'd still be interested to know the answer to this problem.
| |
| Doug Freyburger 2006-08-18, 7:22 pm |
| Gregory.Gel...@gmail.com wrote:
>
> I found a way to do what I wanted to do without needing suid. However,
> I'd still be interested to know the answer to this problem.
In general, setting a script to setuid is the wrong answer. If you
end up needing to do it it means you need to rethink your problem
and do it another way. Since you found a way without setuid you
just did exactly that.
Jay James posted the usual way - A wrapper in C that uses the
system() call, setuid the small compiled binary.
|
|
|
|
|