On Tue, Feb 18, 2003 at 08:59:55AM +0000, Dave Selby wrote: > I have a query about chmod. pon is turned on by root, I want it to be turned > off by any user. I have looked at several options, sudo, downgrading > permissions for kill, gulp, etc etc but decided that for my setup using chmod > and setting the user ID for poff would be the best. > > test@debian:~$ su > Password: > debian:/home/test# chmod 4755 /usr/bin/poff > debian:/home/test# ls -al /usr/bin/poff > -rwsr-xr-x 1 root root 2772 Dec 10 2001 /usr/bin/poff > debian:/home/test# > debian:/home/test# pon > debian:/home/test# > debian:/home/test# exit > exit > test@debian:~$ > test@debian:~$ poff > /usr/bin/poff: /bin/kill failed. None stopped. > test@debian:~$ > test@debian:~$ which poff > /usr/bin/poff > test@debian:~$ > > mmm, my ls-al seems to tell me suid has been set, as I understand it the > process generated by calling poff from user test should now be run as root. > As root it should kill the link started by pon. > > It fails when poff executes /bin/kill. Any idea why ?
poff is a shell script. setuid scripts are massive security holes, so
the kernel refuses to honour the set{g,u}id bit on them.
> Does SUID only apply to the called process and not any secondary processes ?
The elevated permissions would be passed along, except that, as I said
above, the kernel isn't letting the script even start with setuid. My
suggestion would be to use sudo for this, since it lets you have very
tightly controlled permissions.
--
Rob Weir <[EMAIL PROTECTED]> http://ertius.org/
msg32063/pgp00000.pgp
Description: PGP signature
