LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 05-04-2005, 12:27 AM   #1
krishvij
Member
 
Registered: Feb 2005
Location: India
Distribution: RHEL 3
Posts: 108

Rep: Reputation: 15
Unhappy Sticky Bit Doesn't Seem to work


Hi,

I created a shell script which will add users and set a default password for each user created. I set a SUID sticky bit on the file so that a selected unpreviliged user can add users using this script. But, it did not work. it says that it was unable to lock the passwd file. I am pasting the code of the script as here under. the name is addusers.sh
------------------------------------------------------------------------------------------------------------------------------

echo -n "enter the starting login id : "
read beg
echo -n "enter the ending login id : "
read final
fend=`date +"%d%m%y"`
i=$beg
rm -f "users$fend"
touch "users$fend"
while [ $i -le $final ];
do
if [ $i -lt 10 ]; then
useradd "j2ee00$i"
chown -R "j2ee00$i:j2ee00$i" "/home/j2ee00$i"
echo "j2ee00$i:elmaqedu" >> "users$fend"
fi
if [ $i -ge 10 ] && [ $i -lt 100 ]; then
useradd "j2ee0$i"
chown -R "j2ee0$i:j2ee0$i" "/home/j2ee0$i"
echo "j2ee0$i:elmaqedu" >> "users$fend"
fi
if [ $i -ge 100 ] && [ $i -lt 1000 ]; then
useradd "j2ee$i"
chown -R "j2ee$i:j2ee$i" "/home/j2ee$i"
echo "j2ee$i:elmaqedu" >> "users$fend"
fi
i=$[ $i + 1 ]
done
chpasswd < "users$fend"

-------------------------------------------------------------------------------------------------------------------------
I then set the sticky bit using the chmod command. ls -l of the same file is as here under :-

-rwsr-xr-x 1 root root 798 Apr 19 15:45 addusers.sh

Then I copied this file and put it in an unpreviliged user's home directory and also copied the /usr/sbin/useradd and /usr/sbin/chpasswd commands to /usr/local/bin. Both these files had execute permissions for everyone. I then login as the unpreviliged user and execute the above script. It accepts the starting and ending login ids but then says that it cannot lock the password file and exits. Is this not supposed to work? because I have set a sticky bit on the executable file and so, it has to run with the file owner's credentials? Please clarify.
 
Old 05-04-2005, 12:55 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Generally speaking, scripts can NOT be set uid. This is a security precaution (generally, shell scripts do not parse user input quite so strenuously). If you want to do this, you might want to look into the 'sudo' package.
 
Old 05-04-2005, 01:56 AM   #3
krishvij
Member
 
Registered: Feb 2005
Location: India
Distribution: RHEL 3
Posts: 108

Original Poster
Rep: Reputation: 15
hi,

just made it work. in my script, i was using useradd, chown & chpasswd. I just had to copy these to the /bin directory and then set SUIDs on these 3 as well. it all went fine. An unpreviliged user can create users after all, if delegated. Further, since the script is written by root, there should not be any problem as the script would only do what the root wanted it to do.
 
Old 05-04-2005, 02:51 AM   #4
Harmaa Kettu
Member
 
Registered: Apr 2005
Location: Finland
Posts: 196

Rep: Reputation: 30
Quote:
i was using useradd, chown & chpasswd. I just had to copy these to the /bin directory and then set SUIDs on these 3 as wel
Bad idea. Now anyone can do for example "/bin/chown -R <username> / ".
 
Old 05-04-2005, 09:38 AM   #5
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Placing the sticky bits on those programs could open HUGE holes... Namely, I could exploit that to gain root in a matter of seconds.
 
Old 05-10-2005, 06:31 PM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I would recommend that you read through the sudoers file.
You can allow certain users to run specific commands. Also, you can set it up so that they use their own password, or no password. That way you wouldn't need to give these users the root password.

There is a commented line in the sudoers file to allow regular users to mount the cdrom. You could base an entry on that line, but instead of ALL you would first define a group and give that group the rights to execute the script as root.

Also, using "sudo" adds accountability, because it's use is logged.

Last edited by jschiwal; 05-10-2005 at 06:46 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Losing sticky bit privilege when using fork() jones507 Programming 1 11-13-2003 04:57 PM
file modes list i.e. what is a sticky bit? Glover Linux - Newbie 2 07-04-2002 07:41 AM
Sticky Bit tarballed Linux - General 4 07-03-2002 04:54 PM
Sticky bit question...need help rootlinux Linux - General 1 01-26-2002 06:12 PM
sticky bit motiram Linux - General 1 08-01-2001 01:34 PM


All times are GMT -5. The time now is 07:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration