Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

Allow user without dir write permission to execute a script that creates files

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Allow user without dir write permission to execute a script that creates files
# 8  
Old 01-02-2014
Ensure that env.sh exports the defined variables!
(Otherwise they are just internal shell variables - not environment variables.)
Check with
Code:
env | grep -w LD_LIBRARY_PATH

Last edited by MadeInGermany; 01-02-2014 at 01:14 PM..
# 9  
Old 01-03-2014
Yes env variables are being exported. That is why when I print LD_LIBRARY_PATH has the right value. But I read online that the reason ldd cannot find the library file even though LD_LIBRARY_PATH has the path is because when setuid binary is used, for security reasons Linux and most modern unix systems ignore LD_LIBRARY_PATH variable because of the risk that some usercould point LD_LIBRARY_PATH to some nefarious library file and use the C setuid binary to run some malicious code.
In my case

scriptwrapper.ksh contains

#!/usr/bin/ksh
setuidbinary script.ksh

script.ksh contains

#!/usr/bin/ksh
. <path>/setenv.ksh
sqlplus -s ......

Since C setuidbinary is setuid to owner cdds, when user cddsoper tries to run scriptwrapper.ksh, even though LD_LIBRARY_PATH is exported the right value by setenv.ksh, when sqplus ORACLE binary is run, loader cannot find the .so libraries used by Oracle sqlplus binary because those paths are defined in LD_LIBRARY_PATH variable which is disabled.

I even tried specifying the Dynamic library path at compile time into the C binary setuidbinary using

gcc setuidbinary.c -Wl,-rpath=/app/oracle/lib -o setuidbinary

But even that doesnot work because when I run setuidwrapper.ksh as cddsoper user, I get the same "libsqlplus.so not found" error.

Does anybody know any other workaround for this that tells the linker to look exactly in /app/oracle/lib for libsqlplus.so when user cddsoper calls the setuid binary setuidbinary even if it ignores LD_LIBRARY_PATH for security reasons ?

Much appreciated.

thanks
# 10  
Old 01-03-2014
I would be concerned that someone will run:-
Code:
setuidbinary rm -r ~cdds

It is leaving a fairly big gap in security. The better way is to use sudo as advised by MadeInGermany.

It's not hard to manage and removes the risk of coding setuidbinary as a matter or course. Making things easy often means making it easy to make a mistake.




Robin
# 11  
Old 01-03-2014
sudoers is owned by root, that's an administrative obstacle here.
I have understood that LD_LIBRARY_PATH is set after the suid - and that should work!
Please test with the env command (not print/echo that works for internal variables, too)!
Further, your setuidbinary.c might need a
setuid(geteuid())
.
# 12  
Old 01-03-2014
Hello MadeInGermany,

As suggested by you i used env and here is an interesting observation
Inside testremove.ksh I added the following lines
Code:
#!/usr/bin/ksh
export LD_LIBRARY_PATH=/app/asset_control_shared/DEV1_acdev1_usl20028171/ac/lib
echo "LD_LIBRARY_PATH using echo====$LD_LIBRARY_PATH"echo "Printing LD_LIBRARY_PATH value using env begins"
env|egrep '(HISTSIZE|LD_LIBRARY_PATH)'echo "Printing LD_LIBRARY_PATH value using env end"
/app/asset_control_shared/DEV1_acdev1_usl20028171/ac/bin/waitdb.ORACLE

First I remove setuid on invoke_shellscripts binary as below (owner acdev1)
Code:
-rwxr-x--x 1 acdev1 rdgac 8612 Jan  3 11:53 invoke_shellscripts
-rwxr-x--- 1 acdev1 rdgac  526 Jan  3 18:11 testremove.ksh


Then as another user acdev2 I ran from commandline

Code:
./invoke_shellscripts ./testremove.ksh

I got the following output:
Code:
LD_LIBRARY_PATH using echo====/app/asset_control_shared/DEV1_acdev1_usl20028171/ac/lib
Printing LD_LIBRARY_PATH value using env begins
HISTSIZE=1000
LD_LIBRARY_PATH=/app/asset_control_shared/DEV1_acdev1_usl20028171/ac/lib
Printing LD_LIBRARY_PATH value using env end

Now I added setuid bit to invoke_shellscripts binary as follows
Code:
-rwsr-x--x 1 acdev1 rdgac 8612 Jan  3 11:53 invoke_shellscripts
-rwxr-x--- 1 acdev1 rdgac  526 Jan  3 18:11 testremove.ksh

Now I reran this from command line
Code:
./invoke_shellscripts ./testremove.ksh

And this time I got following output suggesting that when setuid bit is set, LD_LIBRARY_PATH is ignored. As you can see echo correctly prints the value of LD_LIBRARY_PATH set in the 1st line of the script however env doesnot have it. It shows only HISTSIZE from the env|egrep command.

Code:
LD_LIBRARY_PATH using echo====/app/asset_control_shared/DEV1_acdev1_usl20028171/ac/lib
Printing LD_LIBRARY_PATH value using env begins
HISTSIZE=1000
Printing LD_LIBRARY_PATH value using env end

testremove.ksh is the one that will be calling the 3rd party binary that uses the library libuidata.so located in /app/asset_control_shared/DEV1_acdev1_usl20028171/ac/lib. How do you think this problem can be fixed using setuid( geteuid()) ?



thanks
Last edited by bartus11; 01-03-2014 at 07:49 PM.. Reason: Use code tags, please!
# 13  
Old 01-04-2014
The setuid() in the C code might need root privilege..
In fact Google only finds setuid(0).
It must be an undocumented feature in ksh to drop LD_LIBRARY_PATH environment if ruid!=euid.
My only idea is a shebang
Code:
#!/bin/ksh -p

And hope it will change this behavier.
# 14  
Old 01-08-2014
Hi MadeInGermany,

The shebang with the -p option does not help either.
Linux just adamantly wants to ignore LD_LIBRARY_PATH variable when the calling binary is setuid regardless of how high up the call chain it is.
So i finally abandoned the setuid option and as suggested by you ealier and rbatte1, have decided to go with the SUDOERS option which works fine.
There is no such LD_LIBRARY_PATH restriction in SUDOERS which I am guessing is because SUDOERS limits access to a limited set of users that are added in the /etc/sudoers file for that script, where as setuid gives access to that binary to anybody who has a login on that unix box and so they want to mitigate the risk.
If users field is set to ALL in /etc/sudoers for a particular script or binary, then even SUDOERS poses a similar risk level as setuid.

thanks for your help.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. AIX

Assign read write permission to the user for specific dir and it's sub dir and files in AIX

I have searched this quite a long time but couldn't find the right method for me to use. I need to assign read write permission to the user for specific directories and it's sub directories and files. I do not want to use ACL. I do not want to assign user the same group of that directories too.... (0 Replies)
Discussion started by: blinkingdan
0 Replies

2. UNIX for Beginners Questions & Answers

Setting write permission for particular user

Hi All, We have a scenario in production where we want only one user from a group to modify the file. The file is not set to write permission for application manager. -r--r--r-- 1 amgr u00 15661716 Aug 30 00:06 DCI.dat So here amgr will have permission to edit the file. We want a... (10 Replies)
Discussion started by: arunkumar_mca
10 Replies

3. Web Development

Apache write permission issues to another user owned directory

Hi I am trying to make a web program which is command line equivalent. i have done the coding in cgi program in perl and html for basic forms to take inputs. when i ran the program from web application i see permission denied messages. after analyzing i found apache is running as wwwrun which... (2 Replies)
Discussion started by: rakeshkumar
2 Replies

4. UNIX for Dummies Questions & Answers

Provide execute permission to a user

Hi, I have a shell script(test.sh) and need to give execute permission for this shell script to user group cobr_sftp and oracle. Could you please help as to how to give this permission. I have already given full access(777) to script test.sh. Does this mean all the users/user group can access... (1 Reply)
Discussion started by: abhi_123
1 Replies

5. Shell Programming and Scripting

perl script to check read/write/execute permission for 'others'

I want to check access rights permissions not for 'user', not for 'group', but for 'others'. I want to do it by system command in which i want to use 'ls -l' and 'awk' command. I have written the following program : #!/usr/bin/local/perl #include <stdlib.h> system ("ls -l | awk... (1 Reply)
Discussion started by: shubhamsachdeva
1 Replies

6. Shell Programming and Scripting

search any user files with write permission

Guys, i wanna get any user files with write permission (on user or group permission) for review but i confuse with -perm parameter. any body can help me to explain what is that mean? thank's (1 Reply)
Discussion started by: michlix
1 Replies

7. Shell Programming and Scripting

write permission to a perticular user to a directory

Hi, The requirement is like, the program needs 2 argument one is user_id and second one is directory path. My script will check if that user_id has write access to the directory path. The directory path may be in any file system like AFS or NFS. Can any one please suggest some points to... (1 Reply)
Discussion started by: siba.s.nayak
1 Replies

8. Solaris

cant able to change permission in a DIR as root user

Hi my directory not accepting any commands. its simply telling permission denied. i tried ( cp, mv, rm ) as roor i want to set default permissons to this DIR please find the Logs below. dr-xr-xr-x 1 root root 1 Jun 1 09:04 AP1_ROP ( original dir) root> chmod 777... (5 Replies)
Discussion started by: vijayq8
5 Replies

9. Shell Programming and Scripting

Find all files with group read OR group write OR user write permission

I need to find all the files that have group Read or Write permission or files that have user write permission. This is what I have so far: find . -exec ls -l {} \; | awk '/-...rw..w./ {print $1 " " $3 " " $4 " " $9}' It shows me all files where group read = true, group write = true... (5 Replies)
Discussion started by: shunter63
5 Replies
Login or Register to Ask a Question