[clue-tech] suid
Charles W Downing
chuckdowning at earthlink.net
Thu Feb 12 07:21:57 MST 2009
Jason S. Friedman wrote:
> I have an executable X owned by root that can do A, B and C, depending
> on the command-line switches used when invoking X. I want to grant
> ordinary users the privilege to do A and B, but not C. So, I
> considered a wrapper script that verifies the user is not attempting
> to do C and then calls X. I started with:
>
> powerpull at goldenrule ~ $ wc < /etc/passwd
> 45 65 2166
>
> root at goldenrule ~ $ chmod 750 /usr/bin/wc
>
> powerpull at goldenrule ~ $ wc < /etc/passwd
> bash: /usr/bin/wc: Permission denied
>
> root at goldenrule ~ $ cat > /usr/bin/wrapped_wc <<EOF
> > #!/bin/sh
> > /usr/bin/wc
> > EOF
> # wrapped_wc would be re-written to verify that the user is not
> # attempting to perform C
>
> root at goldenrule ~ $ chmod 755 /usr/bin/wc /usr/bin/wrapped_wc
>
> powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
> 45 65 2166
>
> root at goldenrule ~ $ chmod 750 /usr/bin/wc
>
> powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
> /usr/bin/wrapped_wc: 2: /usr/bin/wc: Permission denied
>
> Now, I would expect this to help:
> root at goldenrule ~ $ chmod u+s /usr/bin/wrapped_wc
> root at goldenrule ~ $ ll /usr/bin/wrapped_wc
> -rwsr-xr-x 1 root root 22 2009-02-12 13:58 /usr/bin/wrapped_wc
>
> But it does not:
> powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
> /usr/bin/wrapped_wc: 2: /usr/bin/wc: Permission denied
> _
Do you need to change the permissions on wc to u+s, as well?
> ______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-tech
>
--
Chuck Downing
Highlands Ranch, Colorado USA
More information about the clue-tech
mailing list