On Friday 21 February 2003 7:33 am, Rob Weir wrote:
> On Tue, Feb 18, 2003 at 08:59:55AM +0000, Dave Selby wrote:
> > I have a query about chmod. pon is turned on by root, I want it to be
> > turned off by any user. I have looked at several options, sudo,
> > downgrading permissions for kill, gulp, etc etc but decided that for my
> > setup using chmod and setting the user ID for poff would be the best.
> >
> > [EMAIL PROTECTED]:~$ su
> > Password:
> > debian:/home/test# chmod 4755 /usr/bin/poff
> > debian:/home/test# ls -al /usr/bin/poff
> > -rwsr-xr-x 1 root root 2772 Dec 10 2001 /usr/bin/poff
> > debian:/home/test#
> > debian:/home/test# pon
> > debian:/home/test#
> > debian:/home/test# exit
> > exit
> > [EMAIL PROTECTED]:~$
> > [EMAIL PROTECTED]:~$ poff
> > /usr/bin/poff: /bin/kill failed. None stopped.
> > [EMAIL PROTECTED]:~$
> > [EMAIL PROTECTED]:~$ which poff
> > /usr/bin/poff
> > [EMAIL PROTECTED]:~$
> >
> > mmm, my ls-al seems to tell me suid has been set, as I understand it the
> > process generated by calling poff from user test should now be run as
> > root. As root it should kill the link started by pon.
> >
> > It fails when poff executes /bin/kill. Any idea why ?
>
> poff is a shell script. setuid scripts are massive security holes, so
> the kernel refuses to honour the set{g,u}id bit on them.
>
> > Does SUID only apply to the called process and not any secondary
> > processes ?
>
> The elevated permissions would be passed along, except that, as I said
> above, the kernel isn't letting the script even start with setuid. My
> suggestion would be to use sudo for this, since it lets you have very
> tightly controlled permissions.
Ah ha that makes sense. I guess a bit of information is a dangerous thing ...
seemed simple !
Many thanks for the info, I realy appreciate it
dave
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
