suid root - bash script
Noam Rathaus
noamr at beyondsecurity.com
Thu Apr 23 14:01:29 IDT 2009
Hi Yedidyah,
1) It doesn't run => shows error => stops
2) Under root it works => no error => works
3) Should I test it under another user? :)
On Thu, Apr 23, 2009 at 1:51 PM, Yedidyah Bar-David
<linux-il at didi.bardavid.org> wrote:
> On Thu, Apr 23, 2009 at 01:22:43PM +0300, Noam Rathaus wrote:
>> Hi Yedidyah,
>> > I guess there are other ways to do this, but that's how it is in unix.
>> > As far as I know, Windows does not have something similar at all - if
>> > you want there to run some program as another user, you have to do much
>> > more than setuid it.
>>
>>
>> Windows has the Run As service which does something similar, its a bit
>> more.. complex, but it allows you to do what you mentioned. I am
>> skipping on Windows' ability to run Service as other users :)
>
> What's the difference (in use, not in implementation) between Run As and
> 'su'? Does it allow (by some configuration) running some program as
> another user without providing its password? But this is getting
> off-topic...
>
>> My scenario is this:
>> 1) Apache runs a perl (which needs to be setuid => it changes IP addresses, etc)
>> 2) This perl needs to call another perl responsible for updating the
>> sytem => and managing that it works correctly
>> 3) This perl runs several other Perl scripts that are also setuid as
>> they replace files
>>
>> When apache tries to execute the perl's line which says:
>> system("/usr/local/bin/update.pl")
>>
>> I get the setuid warning that I need to put a wrapper
>>
>> I then did:
>> system("/usr/local/bin/update")
>>
>> Where update
>>
>> Just executes update.pl
>>
>> Both update (written in C) and update.pl (written in perl) are setuid root.
>>
>> I still get the warning
>
> But does it or does it not run as root? Perhaps it emits this warning
> anyway when the script is setuid. I did not check. If it does not: What
> happens when you simply run it yourself from the command line? Does it
> work?
>
> You can still try sudo anyway. Read 'man sudoers' and look at the
> EXAMPLES section.
> --
> Didi
>
>
More information about the Linux-il
mailing list