Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
>
> No, php script *RUN* by root -> full system access
>
> php script run by www-data -> access to what www-data has access to.
>
> Owner/Group/Other permissions only affect who has access to the
> file/folder, not the kind of access the file (process) itself has when
> run. Two very different concepts.
>
> The exceptions being the setuid and setgid bits, as mentioned by others.
> Those set the user ID/group ID of the process, regardless of who runs
> it. Regular users *can* set those bits, but *can't* chown anything to
> root. They also can't change permissions (including the setuid/setgid
> bits) unless they're the owner, even if they're in the group and the
> file has 777 permissions.
>
> paul@Serenity:~$ ls -alh PermTest-*
> -rw-r--r-- 1 paul paul 0 Dec 24 03:32 PermTest-1.sh
> -rwxrwxrwx 1 root paul 0 Dec 24 03:32 PermTest-2.sh
> paul@Serenity:~$ chmod 4644 PermTest-1.sh
> paul@Serenity:~$ chmod 4644 PermTest-2.sh
> chmod: changing permissions of ‘PermTest-2.sh’: Operation not permitted
> paul@Serenity:~$ ls -alh PermTest-*
> -rwSr--r-- 1 paul paul 0 Dec 24 03:32 PermTest-1.sh
> -rwxrwxrwx 1 root paul 0 Dec 24 03:32 PermTest-2.sh
>
>
> Executables run with the permissions of the user running it, the file
> permissions on the executable limit/allow *who* may run it.
>
>
> - PaulNM
Hi Paul,
I do not intend to hijack this discussion but I think I have got the same
problem!
Fist thank you for your explanation. I am following this discussion and I have
a similar problem. I made a script, which is calling an application
(/usr/bin/cpufreq-set) with additional tags.
But I cannot get this script running with root privileges, although I set the
setuid bit to root at my scriipt and cpufreq-set is set to owner root:root.
As far as I understood your explanatiions:
When I start my script as a regular user, it will be started with root
privileges due to setuid root, but the called process (cpufreq-set) will then
be startes with owner of the regular user and its rights? If so, is there a
way to let both start with root owner and permission by a regular user?
Thanks for any hints. And again, I do not want to hijack this discussion,
maybe you can just explain it with the case of the original questioner.
Thanks.
Hans
Reply to: