Help with suid (bash)
Aside: even though this is not a Debian specific question, I often use debian-
user as my first resource in asking Linux questions.
Background: 8 years ago I wrote a set of scripts to help me mount and unmount
LUKS encrypted partitions as needed and as myself (<myuserid>) rather than as
root.
Aside: This was (and still is) under Debian Wheezy -- I know I should upgrade.
I do have installations of Jessie and Buster on other computers and am getting
ready to install Bullseye on another machine which might replace the Wheezy
machine (if I can run TDE under Bullseye). Getting these scripts working as
intended (that is, using suid) is part of my effort to do that.
Problem: I tried to use suid to allow the scripts to be run by me, but with
the permissions of root but I could not get that to work.
Aside: I do run those scripts with the aid of a (compiled) c helper program
that switches to root and then runs the appropriate script (setuid( 0 ) and
then system( "<bash_script_filename>" ).
The script to mount a partition looks like this (comments deleted, and some
things shown "generically" for privacy / security):
#!/bin/bash
/sbin/cryptsetup luksOpen /dev/sd<ann> <luks_device_name> && /bin/mount
/dev/mapper/<luks_device_name> <mount_point>
The ownership and permissions that I tried to use (I tried some variations,
and I have different permissions at the moment) were:
-rwsr-xr-x 1 root <groupid_that_includes_my_userid> 1412 Aug 31 2014
<bash_script_filename>
(I should remove the read and execute permission from all, but that is what I
had at that time.)
Why can't I run that successfully as myself (<my_userid>), and what could I do
to make it run?
When I invoke the script with those permissions, including suid, I get a
response like:
$ <bash_script_filename>
WARNING!!! Possibly insecure memory. Are you root?
Cannot open device /dev/sd<ann> for read-only access.
$
To clarify: when I run these scripts with the aid of the c helper program, the
scripts work as intended and I get no error messages.
Thanks for any input!
Reply to: