LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SUID more explanation needed (https://www.linuxquestions.org/questions/linux-newbie-8/suid-more-explanation-needed-4175660556/)

makupl 09-08-2019 04:32 PM
SUID more explanation needed
 
I'm trying to understand SUID functionality.

So what I try is to create script.sh which modifies let say file a.txt.
The script.sh is owned by specific user, let say test1 and group test1. Also file a.txt is same user and group. Now I do not allow to write for other users to file a.txt, however I set rws------ on script.sh (SUID is set)
File a.txt has permissions rwxr--r--. Now when I execute script.sh as user test2 I got permission error on a.txt.
I understood execution of script.sh is fired from user test2 but as it was run by user test1 who actually has write permisions to a.txt file.
Must be I understand it wrongly. I understood user test2 can't modify a.txt file directly but using script.sh may change accordingly if script.sh requires it.

scasey 09-08-2019 05:00 PM
Quote:
Originally Posted by makupl (Post 6034646)
I'm trying to understand SUID functionality.

So what I try is to create script.sh which modifies let say file a.txt.
The script.sh is owned by specific user, let say test1 and group test1. Also file a.txt is same user and group. Now I do not allow to write for other users to file a.txt, however I set rws------ on script.sh (SUID is set)
File a.txt has permissions rwxr--r--. Now when I execute script.sh as user test2 I got permission error on a.txt.
I understood execution of script.sh is fired from user test2 but as it was run by user test1 who actually has write permisions to a.txt file.
Must be I understand it wrongly. I understood user test2 can't modify a.txt file directly but using script.sh may change accordingly if script.sh requires it.
Are you sure the permission error is on a.txt and not on the script itself?
Best would be for you to post the actual command run and the result you got, in code tags. Also the actual result of the ls -l command on the script and the text file.

If
Code:
-rws------ test1 test1 Sep  7 10:10 script.sh
Then user test2 can't read the file to execute it. It probably needs to be
Code:
-rwsr--r-- test1 test1 Sep  7 10:10 script.sh
## or maybe...I'm fuzzy about this
-rwsr-xr-x test1 test1 Sep  7 10:10 script.sh
As I understand it, SUID is used to grant the permissions of user test1 to the script when executed by some other user. It does not grant access to the script. That must still be given in the normal way.

berndbausch 09-08-2019 07:26 PM
SUID doesn't work with scripts. A discussion of the problem with possible solutions or alternatives is at https://unix.stackexchange.com/quest...-shell-scripts.

rtmistler 09-08-2019 07:53 PM
Perhaps a more correct thing to allow other users to access a script and support files would be to make them 755 permissions and place them in /usr/bin, /usr/sbin, /usr/local/bin, or /usr/local/sbin.

Firerat 09-08-2019 08:34 PM
suid means it is executed as the owner of the file and not the user who executes it

if the user can't execute it.. well

ehartman 09-09-2019 12:52 AM
Quote:
Originally Posted by makupl (Post 6034646)
Now I do not allow to write for other users to file a.txt, however I set rws------ on script.sh (SUID is set)
Which means the shell that executes script.sh has the rights that IT's userID (user1) has. This suid right is NOT inherited by its children, like the (child) program that works on a.txt (you didn't say, but I assume it is an editor).
So only internal (built-in) commands of the shell run as user1.
That's why suid for a script mostly isn't all that useful, the applications that do the actual work have to be suid too (or run through sudo, but then you don't need the suid at all).

makupl 09-09-2019 01:25 PM
Quote:
Originally Posted by ehartman (Post 6034734)
Which means the shell that executes script.sh has the rights that IT's userID (user1) has. This suid right is NOT inherited by its children, like the (child) program that works on a.txt (you didn't say, but I assume it is an editor).
So only internal (built-in) commands of the shell run as user1.
That's why suid for a script mostly isn't all that useful, the applications that do the actual work have to be suid too (or run through sudo, but then you don't need the suid at all).
Thanks you (and others). It answers my question.
M.


All times are GMT -5. The time now is 12:59 AM.