LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   setuid why? and how? (https://www.linuxquestions.org/questions/linux-newbie-8/setuid-why-and-how-4175608692/)

Ankit yadav 06-27-2017 02:34 AM

setuid why? and how?
 
I got confused with setuid concept. What I have understood is that if setuid set on any file.Anybody run(execute) it, it will run as it has ran by its owner.

Is it my concept is correct.
If not please make me explain from example other than passwd.

If it is correct than check my example that I performed.

I have created a file lsscript.sh with permission 4700, means owner has full permission with setuid bit.

now I switched user and tried to run lsscript.sh. But its shows permission denied.

Why? It should have run with owner permission.

pan64 06-27-2017 02:38 AM

you cannot use setuid bits on scripts, but on binaries. Scripts are not standalone executables but there are interpreters (like bash/perl/whatever) to interpret/execute/run them.
Therefore setuid on the script (which is a plain text file) is meaningless.
You ought to set it on the binary, but I do not really suggest you to set setuid on bash or similar (but you can make a local copy of it and try that one).

scasey 06-27-2017 04:25 AM

Quote:

Originally Posted by Ankit yadav (Post 5727649)
I have created a file lsscript.sh with permission 4700, means owner has full permission with setuid bit.

now I switched user and tried to run lsscript.sh. But its shows permission denied.

Why? It should have run with owner permission.

The 4700 says only the owner can run the script. The 00 for group and others is what gave "permission denied." To try what you want you'd have to set permission to 4750 (if the other user is in the same group) or 4755 so any other user can run the script. Note in both cases, you wouldn't be allowing others to change the script, only read and execute it.

That said, pan64 may be right about when to use setuid. Personally, I have only used it on directories to force the files within them to be owned by the user (or group), and not on scripts or binaries.

dejank 06-27-2017 04:44 AM

Quote:

Originally Posted by pan64 (Post 5727651)
you cannot use setuid bits on scripts, but on binaries. Scripts are not standalone executables but there are interpreters (like bash/perl/whatever) to interpret/execute/run them.
Therefore setuid on the script (which is a plain text file) is meaningless.
You ought to set it on the binary, but I do not really suggest you to set setuid on bash or similar (but you can make a local copy of it and try that one).

Actually, there is way to make scripts executable with setuid, but never tried it personally. Here is good explanation about it:https://unix.stackexchange.com/quest...l-scripts#2910

Laserbeak 06-27-2017 05:00 AM

You can make setuid Perl and Python scripts, just apparently not shell scripts. At least you used to, but perhaps that has changed. You can always write a simple C wrapper around anything and that will be able to get the job done.

EDIT: Yeah, this seems to have changed in most systems and they won't even let Perl do setuid scripts, so you need to write a simple C wrapper that's setuid to launch the script while it is root.

Laserbeak 06-27-2017 05:13 AM

The main reason is that some things like system utilities need to run as root to get access to certain kernel information, certain files, or perform certain tasks.

Really simple programs to understand the logic behind it would be su or sudo.

In order to be able to switch to root or run another program as root, the program that does it obviously has to be running as root to begin with. So su runs as root, asks for your password, then if it authenticates, it changes your userid to root (or any other user) and executes another shell, then you have a # prompt instead of a $ prompt. Same idea with sudo, but you don't get a root shell, you have run each program separately by using sudo with each one :)

hazel 06-27-2017 05:56 AM

I was always told that the suid bit is not honoured on scripts as a security precaution, to prevent "script kiddies" running malware on your system. Writing and compiling a proper program is beyond the capacity of most of these idiots.

It can't just be because scripts are text, since they can be made executable and most text files can't.

pan64 06-27-2017 05:58 AM

Quote:

Originally Posted by dejank (Post 5727683)
Actually, there is way to make scripts executable with setuid, but never tried it personally. Here is good explanation about it:https://unix.stackexchange.com/quest...l-scripts#2910

This is exactly what I meant. the setuid on text file (script) itself is ignored, not used. You need to have a setuid binary (either interpreter or shebang or similar) to do that.

here you can find a discussion about setuid in perl: https://stackoverflow.com/questions/...sed-as-cgi-bin

Ankit yadav 06-27-2017 07:02 AM

Quote:

Originally Posted by scasey (Post 5727678)
The 4700 says only the owner can run the script. The 00 for group and others is what gave "permission denied." To try what you want you'd have to set permission to 4750 (if the other user is in the same group) or 4755 so any other user can run the script. Note in both cases, you wouldn't be allowing others to change the script, only read and execute it.

That said, pan64 may be right about when to use setuid. Personally, I have only used it on directories to force the files within them to be owned by the user (or group), and not on scripts or binaries.

Thats what group and other dont have access to run script, so only I tried to setuid as its say it will run as it has run by owner and owner has permission to run it.
And if I give 755 permission to script than why I need to set setuid to it. It already got access to run script.

pan64 06-27-2017 07:06 AM

Quote:

Originally Posted by Ankit yadav (Post 5727754)
And if I give 755 permission to script than why I need to set setuid to it. It already got access to run script.

you give setuid to run app (act) as another user.

Laserbeak 06-28-2017 08:31 AM

This is a very simple example how you make an setuid script, you'd probably want to add to it so you can pass parameters, etc.:

Save this, substituting /path/to/myscript.pl with whatever script you want to run as root:

Code:

//
//  main.c
//  suidscript
//

#include <unistd.h>

int main(int argc, const char * argv[]) {

    setuid(0);
    execv("/path/to/myscript.pl", NULL);
    return 0;
}

compile, then as root: chown root, then chmod 4755.

Then it will run that script as root.


All times are GMT -5. The time now is 12:55 PM.