[clue-tech] suid
Angelo Bertolli
angelo.bertolli at gmail.com
Thu Feb 12 07:37:50 MST 2009
Jason S. Friedman wrote:
> I have an executable X owned by root that can do A, B and C, depending
> on the command-line switches used when invoking X. I want to grant
> ordinary users the privilege to do A and B, but not C. So, I
> considered a wrapper script that verifies the user is not attempting
> to do C and then calls X. I started with:
>
> powerpull at goldenrule ~ $ wc < /etc/passwd
> 45 65 2166
>
> root at goldenrule ~ $ chmod 750 /usr/bin/wc
>
> powerpull at goldenrule ~ $ wc < /etc/passwd
> bash: /usr/bin/wc: Permission denied
>
> root at goldenrule ~ $ cat > /usr/bin/wrapped_wc <<EOF
> > #!/bin/sh
> > /usr/bin/wc
> > EOF
> # wrapped_wc would be re-written to verify that the user is not
> # attempting to perform C
>
> root at goldenrule ~ $ chmod 755 /usr/bin/wc /usr/bin/wrapped_wc
>
> powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
> 45 65 2166
>
> root at goldenrule ~ $ chmod 750 /usr/bin/wc
>
> powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
> /usr/bin/wrapped_wc: 2: /usr/bin/wc: Permission denied
>
> Now, I would expect this to help:
> root at goldenrule ~ $ chmod u+s /usr/bin/wrapped_wc
> root at goldenrule ~ $ ll /usr/bin/wrapped_wc
> -rwsr-xr-x 1 root root 22 2009-02-12 13:58 /usr/bin/wrapped_wc
>
> But it does not:
> powerpull at goldenrule ~ $ wrapped_wc < /etc/passwd
> /usr/bin/wrapped_wc: 2: /usr/bin/wc: Permission denied
It doesn't work. You can't suid bit doesn't work with bash scripts.
That's a security feature in Linux.
Angelo
More information about the clue-tech
mailing list