Douglas Bates <bates@stat.wisc.edu> [2002-10-31 11:28:19 -0600]: > We have their tar program installed under the wsbackup login. The > program is owned by root.root and has setuid and setgid permissions. > > 505$ ls -la > total 12 > drwxr-sr-x 2 wsbackup wsbackup 4096 Oct 30 11:02 . > drwxr-sr-x 4 wsbackup wsbackup 4096 Oct 30 10:58 .. > -rwsrwsr-x 1 root root 1889 Oct 30 11:02 sushiRunLinuxTar That looks small for an executable. Is it a script perhaps? > > It seems the script is being found, but has errors/doesn't > > execute/something. > > Is there something else I should do to allow this program to run > setuid root? Never run scripts suid as it is a terrible security hole. It is not working for you since the kernel is now compiled to avoid doing this and therefore avoids the security problems. Instead do one of these two things. Create a compiled program which cleans the environment of potential security problems. Run the program suid. That program calls your script. Easy to do. But you get to maintain it forever. Unless you are a C programmer I would go with solution two below. Probably the best solution is to use 'sudo'. If this script needs to run as root then configure sudo with 'visudo' and add an entry like this. I would rename sushiRunLinuxTar to sushiRunLinuxTar.sh and create a new script that just calls sudo sushiRunLinuxTar.sh. ALL ALL=NOPASSWD: /full/path/to/sushiRunLinuxTar.sh Then the sushiRunLinuxTar script can look like this. #!/bin/sh sudo /full/path/to/sushiRunLinuxTar.sh "$@" Using sudo in this way does not avoid possible security problems that you might open in your script. You still need to avoid doing bad things yourself. But it is probably the best way to run a script as root. Bob
Attachment:
pgpdmoonmcxHm.pgp
Description: PGP signature