On Tue, Feb 18, 2003 at 08:59:55AM +0000, Dave Selby wrote:
> I have a query about chmod. pon is turned on by root, I want it to be turned
> off by any user. I have looked at several options, sudo, downgrading
> permissions for kill, gulp, etc etc but decided that for my setup using chmod
> and setting the user ID for poff would be the best.
>
> test@debian:~$ su
> Password:
> debian:/home/test# chmod 4755 /usr/bin/poff
> debian:/home/test# ls -al /usr/bin/poff
> -rwsr-xr-x 1 root root 2772 Dec 10 2001 /usr/bin/poff
> debian:/home/test#
> debian:/home/test# pon
> debian:/home/test#
> debian:/home/test# exit
> exit
> test@debian:~$
> test@debian:~$ poff
> /usr/bin/poff: /bin/kill failed. None stopped.
> test@debian:~$
> test@debian:~$ which poff
> /usr/bin/poff
> test@debian:~$
>
> mmm, my ls-al seems to tell me suid has been set, as I understand it the
> process generated by calling poff from user test should now be run as root.
> As root it should kill the link started by pon.
>
> It fails when poff executes /bin/kill. Any idea why ?
poff is a shell script. setuid scripts are massive security holes, so
the kernel refuses to honour the set{g,u}id bit on them.
> Does SUID only apply to the called process and not any secondary processes ?
The elevated permissions would be passed along, except that, as I said
above, the kernel isn't letting the script even start with setuid. My
suggestion would be to use sudo for this, since it lets you have very
tightly controlled permissions.
--
Rob Weir <rweir@ertius.org> http://ertius.org/
Attachment:
pgpavesp5yemH.pgp
Description: PGP signature