suid root - bash script

suid root - bash script

Oron Peled oron at actcom.co.il
Thu Apr 23 10:16:10 IDT 2009


On Thu, Apr 23, 2009 at 08:56:45AM +0300, Erez D wrote:
> i have a bush script i want to be run with root permisions, no matter
> which user executes it.
> 
> if it was a binary, i would only need set it suid root.
> 
> but as it is a bash script, suid-ing it doesn't do anything, and suid-ing
> /bin/bash itself will make all scripts run suid root, which is surly not
> what i want.

There's a reason why the kernel does not respect suid/sgid bit on shell
scripts -- It's because there are gazillions of ways a user can use
this script to gain total root access.

> there must be a solution for that.

Yes. Writing secure applications in a secure way.

Maybe writing a wrapper suid program that totally sanitize
both the environment and command line arguments before
exec'ing the script would make it. Although I wouldn't bet
on it since it only covers the obvious attack vectors against
shell scripts.

On 23.04.2009 Yedidyah Bar-David wrote:
> 'sudo' is what you want.

Why bother? It's easier to simply give those users the root password
as the result would be the same anyway.

-- 
Oron Peled                                 Voice: +972-4-8228492
oron at actcom.co.il                  http://www.actcom.co.il/~oron
Linux lasts longer!
                        -- "Kim J. Brand" <kim at kimbrand.com>




More information about the Linux-il mailing list