[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] change user when executing some script

Many thanks for your comment and piece of code ;)

In fact, I need my team to run a ruby tool, but $RUBYLIB and the main
routine call is done into a setgid shell script. The script belongs to
special user and group: myTeam:myTeam, and all the members of the team
have the ability to log as myTeam special user. Their main user
nickname:nickname is also member of myTeam group. I just want they
don't need to log on myTeam user to execute this script, but  also on
their main user. (script file permissions are 2754). Is there any
threat in that case ?

Thanks again.

Gal'

2007/6/14, Bob Proulx <bob@proulx.com>:

Galevsky wrote:
> When user3 will launch the script later, he will get the user1
> permissions thanks to the setguid flag on the script, and will be able

Setuid scripts are a security hole!  It is almost impossible to
prevent anyone from becoming the owner of the script in those cases.

Better would be to write a very small C program that does nothing but
launch the script and make the binary program setuid.  That avoids
most of the trouble.

Bob

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc,char **argv)
{
  /* FIXME: This list is still insufficient. */
  putenv("PATH=/usr/bin:/bin");
  putenv("IFS= \t\n");
  putenv("ENV=");
  setuid(geteuid());
  execv("/path/to/MYSCRIPT",argv);
  fprintf(stderr,"Could not execute script /path/to/MYSCRIPT\n");
  perror("exec");
  return 1;
}


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: