suid bit on script
This is a discussion on suid bit on script within the Linux General forums, part of the Linux Forums category; Hello, I don't understand why my process runs as mgirod (both effective and real user) despite my script having ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-24-2007
|
|||
|
|||
suid bit on script
Hello,
I don't understand why my process runs as mgirod (both effective and real user) despite my script having suid (and gid) set: $ /tmp/svnsync.sh uid=3695(mgirod) gid=20(iona) groups=20(iona) mgirod $ ll /tmp/svnsync.sh -rwsrwsr-x 1 vobadm iona 106 Aug 24 12:26 /tmp/svnsync.sh $ cat /tmp/svnsync.sh #!/bin/sh id id -run $ Can anybody tell me what I am doing wrong? Thanks, Marc 
|
|
08-24-2007
|
|||
|
|||
|
Re: suid bit on script
On Fri, 24 Aug 2007 12:21:26 -0000, Marc Girod
<marc.girod@gmail.com> wrote: > > > Hello, > > I don't understand why my process runs as mgirod (both effective and > real user) despite my script having suid (and gid) set: > For security reasons the suid bit is ignored on scripts. -- That secret you've been guarding, isn't.
|
|
08-24-2007
|
|||
|
|||
|
Re: suid bit on script
> For security reasons the suid bit is ignored on scripts.
Thanks. Indeed, it works on binaries... svnroot> cd /tmp tmp> cp /usr/bin/id . tmp> sudo chown vobadm id tmp> sudo chmod u+s id tmp> ll id -rwsr-xr-x 1 vobadm iona 19628 Aug 24 15:29 id tmp> ./id uid=3695(mgirod) gid=20(iona) euid=118(vobadm) groups=20(iona) tmp> ./id -run mgirod tmp> ./id -un vobadm tmp> sudo -u vobadm ./id uid=118(vobadm) gid=20(iona) groups=20(iona),121(pd-orbix) So: write a C wrapper... Any way to change the 'real uid'? I am actually trying to follow the instructions in the subversion documentation, and writing a post-commit hook to run svnsync in order to synchronize a repository mirror. I only noticed the post-commit hook is run as the user, which is fine for sending mail, but more questionable for running svnsync. I thus thought of using a suid svnsync, but found that it didn't work, and still reported an access error. I misinterpreted it as a global suid failure, based on my attempt with my script. Now I understand that svnsync must look at its 'real uid' since the effective one is indeed correct... Marc
|
|
08-28-2007
|
|||
|
|||
|
Re: suid bit on script
Bill Marcum wrote:
> On Fri, 24 Aug 2007 12:21:26 -0000, Marc Girod > <marc.girod@gmail.com> wrote: >> >> Hello, >> >> I don't understand why my process runs as mgirod (both effective and >> real user) despite my script having suid (and gid) set: >> > For security reasons the suid bit is ignored on scripts. ...so just make /bin/sh suid instead :-) Simon PS Don't do that.
|
Linear Mode
