Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Restrict access to .ksh scripts
Top Forums Shell Programming and Scripting Restrict access to .ksh scripts Post 302592199 by methyl on Monday 23rd of January 2012 09:09:20 AM
Old 01-23-2012
@jlliagre
One place you can find reference to setuid and setgid being ignored is in "man ksh" in the section "Invoking ksh". Sounds like yours must be different.
There's a similar reference in Posix Shell manuals in the section "Shell Invocation".

More research has highlighted Solaris as a notable exception in the modern unix world. I'm pretty sure that suid scripts didn't work in SunOS 4.
It has been a problem to me in the distant past both when suid scripts did work and then when it suddenly stopped working!

Both "ksh" and the Posix Shell have a "-p" parameter. Indirectly the documentation for this switch explains the change of effective UID in your example.

With a bit of trial-and-error I managed to reproduce your test on HP-UX 11.1. The hint came from Sven Mascheck's site (below). On my tests it only works when there is a shebang line in the script.
With the original script owner as root and the permissions 4711 and while running as a non-priviliged user I used such a script to change a binary to permissions 6777 ! Scary.
Thankfully the passwd command doesn't work in a suid script (I already knew that). I've also checked that a non-privileged chown removes the suid bit.

This page from Sven Mascheck's excellent site has some decent lists and tables of O/S which allow suid scripts. The list omits a test result for HP-UX.
The #! magic, details about the shebang/hash-bang mechanism


This thread reinforces the old advice to not allow suid scripts and rubbishes the modern teaching and documentation that suid scripts don't work.
Last edited by methyl; 01-23-2012 at 10:14 AM..
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

restrict tcp-port access

Hi Is there any way to restrict the TCP-IP port usage. I want to restrict TCP-IP port 1500/1550 to the oracle osuser. Tanks in advance. Remi (2 Replies)
Discussion started by: remivisser
2 Replies

2. UNIX for Advanced & Expert Users

Apache restrict access with certificates

Hello! Does anyone know if it's possible to restrict access to apache webserver with certificates? What I want is that if a user has a certificate in his browser then he get's access, if not show error or another page. I would be very happy if someone knew! /D (2 Replies)
Discussion started by: Esaia
2 Replies

3. Red Hat

restrict access of a user to two directories only

Hi all, I am using RHEL 5.0 I need a user say test to have full access to two directories, say /tmp1 & /tmp2 only other than his home directory. I do not want to change his login shell which is ksh or bash by default. Moreover, he should not even have read access of other directories. ... (10 Replies)
Discussion started by: vikas027
10 Replies

4. UNIX for Advanced & Expert Users

Restrict access to specific users.

Hi All! I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses). OS : Red hat linux Thanks! nua7 (6 Replies)
Discussion started by: nua7
6 Replies

5. UNIX for Advanced & Expert Users

Restrict Access to the folder

Hi I have requirement to create 3 new users on my server but to restrict their access to a set of particular folders. /export/home/kapil/shared, /export/home/kapil/shared/Folder1 /export/home/kapil/shared/Folder2 These folders should be accessible to all the 3 users and to me too.... (1 Reply)
Discussion started by: kapilk
1 Replies

6. Solaris

Restrict access to solaris10 [SOLVED]

Hello, I have a solaris10 sparc running on a server and it is a Sun DS (LDAP) server as well as LDAP client. I have changed ssh server port to something other than 22 but is there any way to configure that only users abc, def, ghi from LDAP can login via ssh? SSH software on solaris10 is... (0 Replies)
Discussion started by: upengan78
0 Replies

7. UNIX for Dummies Questions & Answers

Restrict user access.

Hi All, How can we restrict a particular user access to a particular shell in solaris 10. Thanks in Advance. (5 Replies)
Discussion started by: rama krishna
5 Replies

8. Red Hat

Restrict user access

Hi there I have an application user on my system that wants accesses to these file systems as such: rwx: /SAPO /SAPS12 /R3_888 /R3_888B /R3_888F /R3_888R r: /usr/sap these are the existing FS permissions:ownerships: # ls -ld /SAPO (9 Replies)
Discussion started by: hedkandi
9 Replies

9. Ubuntu

Restrict SUDO Access

Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux Hi Folks, Please help me. I am bit struck here. Here is the OS info. Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux I have a... (17 Replies)
Discussion started by: explorer007
17 Replies

10. UNIX for Dummies Questions & Answers

Restrict access

I'm trying to use squid to restrict elinks' access to certain websites(only http traffic). I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :) ---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Discussion started by: Birnbacher
1 Replies

LEARN ABOUT OSF1

fs_setcell

FS_SETCELL(1)						       AFS Command Reference						     FS_SETCELL(1)

NAME

       fs_setcell - Configures permissions for setuid programs from specified cells

SYNOPSIS

       fs setcell -cell <cell name>+ [-suid] [-nosuid] [-help]

       fs setce -c <cell name>+ [-s] [-n] [-h]

DESCRIPTION

       The fs setcell command sets whether the Cache Manager allows programs (and other executable files) from each cell named by the -cell
       argument to run with setuid permission. By default, the Cache Manager allows programs from its home cell to run with setuid permission, but
       not programs from any foreign cells. A program belongs to the same cell as the file server machine that houses the volume in which the
       program's binary file resides, as specified in the file server machine's /etc/openafs/server/ThisCell file. The Cache Manager determines
       its own home cell by reading the /etc/openafs/ThisCell file at initialization.

       To enable programs from each specified cell to run with setuid permission, include the -suid flag. To prohibit programs from running with
       setuid permission, include the -nosuid flag, or omit both flags.

       The fs setcell command directly alters a cell's setuid status as recorded in kernel memory, so rebooting the machine is unnecessary.
       However, non-default settings do not persist across reboots of the machine unless the appropriate fs setcell command appears in the
       machine's AFS initialization file.

       To display a cell's setuid status, issue the fs getcellstatus command.

CAUTIONS

       AFS does not recognize effective UID: if a setuid program accesses AFS files and directories, it does so using the current AFS identity of
       the AFS user who initialized the program, not of the program's owner.  Only the local file system recognizes effective UID.

       Only members of the system:administrators group can turn on the setuid mode bit on an AFS file or directory.

       When the setuid mode bit is turned on, the UNIX "ls -l" command displays the third user mode bit as an "s" instead of an "x". However, the
       "s" does not appear on an AFS file or directory unless setuid permission is enabled for the cell in which the file resides.

OPTIONS

       -cell <cell name>+
	   Names each cell for which to set setuid status. Provide the fully qualified domain name, or a shortened form that disambiguates it from
	   the other cells listed in the local /etc/openafs/CellServDB file.

       -suid
	   Allows programs from each specified cell to run with setuid privilege. Provide it or the -nosuid flag, or omit both flags to disallow
	   programs from running with setuid privilege.

       -nosuid
	   Prevents programs from each specified cell from running with setuid privilege. Provide it or the -suid flag, or omit both flags to
	   disallow programs form running with setuid privilege.

       -help
	   Prints the online help for this command. All other valid options are ignored.

EXAMPLES

       The following command enables executable files from the State University cell to run with setuid privilege on the local machine:

	  % fs setcell -cell stateu.edu -suid

PRIVILEGE REQUIRED

       The issuer must be logged in as the local superuser root.

SEE ALSO

       fs_getcellstatus(1)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML to POD by software written by Chas
       Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.

OpenAFS 							    2012-03-26							     FS_SETCELL(1)
All times are GMT -4. The time now is 04:55 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy