setuid why? and how?
I got confused with setuid concept. What I have understood is that if setuid set on any file.Anybody run(execute) it, it will run as it has ran by its owner.
Is it my concept is correct. If not please make me explain from example other than passwd. If it is correct than check my example that I performed. I have created a file lsscript.sh with permission 4700, means owner has full permission with setuid bit. now I switched user and tried to run lsscript.sh. But its shows permission denied. Why? It should have run with owner permission. |
you cannot use setuid bits on scripts, but on binaries. Scripts are not standalone executables but there are interpreters (like bash/perl/whatever) to interpret/execute/run them.
Therefore setuid on the script (which is a plain text file) is meaningless. You ought to set it on the binary, but I do not really suggest you to set setuid on bash or similar (but you can make a local copy of it and try that one). |
Quote:
That said, pan64 may be right about when to use setuid. Personally, I have only used it on directories to force the files within them to be owned by the user (or group), and not on scripts or binaries. |
Quote:
|
You can make setuid Perl and Python scripts, just apparently not shell scripts. At least you used to, but perhaps that has changed. You can always write a simple C wrapper around anything and that will be able to get the job done.
EDIT: Yeah, this seems to have changed in most systems and they won't even let Perl do setuid scripts, so you need to write a simple C wrapper that's setuid to launch the script while it is root. |
The main reason is that some things like system utilities need to run as root to get access to certain kernel information, certain files, or perform certain tasks.
Really simple programs to understand the logic behind it would be su or sudo. In order to be able to switch to root or run another program as root, the program that does it obviously has to be running as root to begin with. So su runs as root, asks for your password, then if it authenticates, it changes your userid to root (or any other user) and executes another shell, then you have a # prompt instead of a $ prompt. Same idea with sudo, but you don't get a root shell, you have run each program separately by using sudo with each one :) |
I was always told that the suid bit is not honoured on scripts as a security precaution, to prevent "script kiddies" running malware on your system. Writing and compiling a proper program is beyond the capacity of most of these idiots.
It can't just be because scripts are text, since they can be made executable and most text files can't. |
Quote:
here you can find a discussion about setuid in perl: https://stackoverflow.com/questions/...sed-as-cgi-bin |
Quote:
And if I give 755 permission to script than why I need to set setuid to it. It already got access to run script. |
Quote:
|
This is a very simple example how you make an setuid script, you'd probably want to add to it so you can pass parameters, etc.:
Save this, substituting /path/to/myscript.pl with whatever script you want to run as root: Code:
// Then it will run that script as root. |
All times are GMT -5. The time now is 12:55 PM. |