Re: "setuid(UID)" and "chmod 4550" misbehaving

Mon, 21 Jun 2004 21:52:43 -0700 

On Mon, Jun 21 at 06:01PM -0700, Sean O'Dell wrote:
> On Monday 21 June 2004 09:23, Will Trillich wrote:
> > TASK:     allow USER1 to run a program AS USER2.
> > SOLUTION: setuid bit (in theory, right?)
> > PROBLEM:  theory not matching execution...
> 
> Sounds obvious, but make sure user www-data is in the list of
> users in the /etc/group file for group www-data.  Setting it
> only as the group of the user in /etc/passwd might not be good
> enough.

it's usually the overlooked obvious stuff that gets me.

from my original epistle:

        <snip>
                # groups www-data
                www-data : www-data

        so it's definitely runnable by apache (being user www-data),
        which should execute this SUID as cyrus. right? let's make sure
        the program does what we're expecting, as user cyrus:
        </snip>

and just for spite --

        $ grep www-data /etc/group
        www-data:x:33:will

whoa! group www-data doesn't list user www-data, but it shows up
via command "groups"? whassup with that?

just to be certain, i added it anyhow:

        $ grep www-data /etc/group
        www-data:x:33:will,www-data

but it STILL will not run the setuid program properly:

        # su www-data
        sh-2.05b$ ./chgsaslpasswd -p cyrus
        __ ./chgsaslpasswd: setuid(103): YAY!passwordHere
        chgsaslpasswd: generic failure
        sh-2.05b$ exit
        # 

even tho file status is -r-sr-x---  1 cyrus  www-data
(runnable by-and-as user cyrus and runnable by anyone in group
www-data, including me and apache, in theory setuid-ing to user
cyrus...  NOT)



incidental/tangential question:

if the SUID bit in the executable file permissions isn't doing
the trick, is there any reason to try "setuid()" in the C code
itself? i tried it without the function call, and there appeared
to be no difference (i think)...

-- 
I use Debian/GNU Linux version 3.0;
Linux boss 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i586 unknown
 
DEBIAN NEWBIE TIP #54 from Will Trillich <[EMAIL PROTECTED]>
:
Tired of SLOW BROWSING THROUGH THE ONLINE APACHE MANUAL? Get
your own local copy and never worry about bandwidth again:
    apt-get install apache-doc
Then browse /usr/share/doc/apache/manual.html, quick like a
bunny.

Also see http://newbieDoc.sourceForge.net/ ...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to