creating shell script that executes as root regardless of who runs the script?

m3kgt · 06-02-2004, 05:34 PM

I have created a little shell script that goes through a specified directory and changes permissions on a few files. The script works perfect when I am logged in as root and run the script from command line.

What I want to do, is make a website, with a button to click that says "reset permissions" and the button will then execute (via PHP) the shell script I made. Getting the webpage to do that is no problem, but there is a problem with the script actually working because apache runs as apache, not as root. And apache isnt able to change permissions on files it doesnt own.

Does that make sense?

Is there a way to make a script that apache can execute that would be able to change permissions on files? Normally only the owner/root would be able to do this... but I need apache to be able to do it. I dont want to change what GID or UID apache runs as because I dont want to end up with big gapping security holes.

If you need any clarifcation, let me know! Thanks.

Joe

Shade · 06-02-2004, 07:23 PM

What you're looking for is called the SETUID bit. It lets programs execute with the permissions of their owners.

X runs like this, for example -- always with root permissions.

chmod 4xxx filename

example:
chmod 4755 script.sh
should work

where xxx are the permissions you'd normally set.

--Shade

btmiller · 06-02-2004, 10:43 PM

I don't think this will work exactly. The kernel ignores the setuid bit on shell scripts because it opens up a host of security concerns. Try it yourself with the following script:

Code:

#!/bin/sh

echo I am PID $$ executing as user $UID

On all systems I'm familiar with, it prints out my own UID and does not have root priviliges, regardless of whether or not the SEUID bit is set.

Shade · 06-03-2004, 12:38 AM

Good call there.

You're indeed right. Does the kernel ignore the SUID for shell scripts only? In other words, this only works with binaries?

--Shade

EDIT: I really feel like I'm missing something here... This should work according to what I've read...

ahh · 06-03-2004, 01:36 AM

It should work if the file is owned by root, and is allowed to be executed by anyone.

As root:

Code:

chown root:root /file
chmod ug+rwx,o+x /file

micxz · 06-03-2004, 01:53 AM

You could use sudo ? Just make sure the sudo entrie is for apache or what you php script runs as.

btmiller · 06-03-2004, 02:38 AM

Shade,

There are a number of serious security issues with SetUID shell scripts so the Linux kernel simply does not honor the SetUID bit on shell scripts, only binary files. There's a good article I found on this here.

chii-chan · 06-03-2004, 06:47 AM

I think editing /etc/sudoers is the way to go. I give my example here. I want my user to be able to run /sbin/rmmod and /sbin/insmod to be able to load and unload usb-storage module. This is what I did to my /etc/sudoers file:

# User privilege specification
root ALL=(ALL) ALL
user ALL=NOPASSWD: /sbin/rmmod usb-storage,/sbin/insmod usb-storage

Then I made a script like this:

#!/bin/bash
#re-usb

sudo /sbin/rmmod usb-storage;sudo /sbin/insmod usb-storage

It is more secure (definitely) that setuid. Use 'visudo'.

m3kgt · 06-03-2004, 11:36 AM

Using chii-chan's method of sudo... lets say I had a shell script called access.sh, and the script looked like this...

Code:

#!bin/bash

echo "Setting permissions for $1."
sudo chown -R $1.users /home/$1/public_html
sudo chmod -R 775 /home/$1/public_html
echo "Done!"

What would my sudoers file need to look like? Would I need to give apache sudo access to the "access.sh" script and then remove the sudo commands from the script, or would I need to give apache access to chown and chmod and leave sudo in the script on each line?

Something about giving apache access to chmod and chown seems a little scary....

What I am trying to acomplish is, sometimes permissions/owners get messed up on files that have been uploaded or modified by users. So I am I trying to make a webpage with a little drop down menu where they can select their site from the list, and hit "reset permissions" and it will change everything back to what it should be. Make sense?

Thanks for all the help everyone.

micxz · 06-03-2004, 12:09 PM

What is causing the sites to have incorrect permissions?

m3kgt · 06-03-2004, 12:59 PM

You bring up another good point... this little shell script I have made wouldnt even be needed if the permissions/ownership didnt change all the time.

Whats happening is, I will set all permissions and ownership to what it should be. Then one of my web designers ( we'll call them designer1) uploads a new index.html file with some changes he or she made. Now all of the sudden designer1 is the owner of the file. Now lets say designer2 comes along and wants to make a change to index.html, they cant because designer1 is now the owner of the file. Neither designer1 or designer2 should be the owner of the file, it should always stay as the username associated with the virtual host, which is what I set it to.

Whats happening is, whenever a file is modified or over written (uploaded with scp) then the ownership changes.

Is there a way to stop that from happening?

If you need clarification, just ask.

micxz · 06-03-2004, 01:17 PM

You could use a cron script (runs every minute or hour) to recursively chown and chmod. This way you have no manual pulldown work or PHP to Shell script task.

Shade · 06-03-2004, 04:43 PM

btmiller, That's an EXCELLENT article.

I'm about to dive in on a bit more security reading.
Thanks so much for that clarification.

--Shade

Kroenecker · 06-04-2004, 10:23 PM

I have to second that: the article was very interesting. Thanks for the link!