[clue-tech] suid
Jason S. Friedman
jason at powerpull.net
Thu Feb 12 07:05:06 MST 2009
I have an executable X owned by root that can do A, B and C, depending
on the command-line switches used when invoking X. I want to grant
ordinary users the privilege to do A and B, but not C. So, I considered
a wrapper script that verifies the user is not attempting to do C and
then calls X. I started with:
powerpull at goldenrule ~ $ wc < /etc/passwd
45 65 2166
root at goldenrule ~ $ chmod 750 /usr/bin/wc
powerpull at goldenrule ~ $ wc < /etc/passwd
bash: /usr/bin/wc: Permission denied
root at goldenrule ~ $ cat > /usr/bin/wrapped_wc <<EOF
> #!/bin/sh
> /usr/bin/wc
> EOF
# wrapped_wc would be re-written to verify that the user is not
# attempting to perform C
root at goldenrule ~ $ chmod 755 /usr/bin/wc /usr/bin/wrapped_wc
powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
45 65 2166
root at goldenrule ~ $ chmod 750 /usr/bin/wc
powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
/usr/bin/wrapped_wc: 2: /usr/bin/wc: Permission denied
Now, I would expect this to help:
root at goldenrule ~ $ chmod u+s /usr/bin/wrapped_wc
root at goldenrule ~ $ ll /usr/bin/wrapped_wc
-rwsr-xr-x 1 root root 22 2009-02-12 13:58 /usr/bin/wrapped_wc
But it does not:
powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
/usr/bin/wrapped_wc: 2: /usr/bin/wc: Permission denied
More information about the clue-tech
mailing list