UNIX for Dummies Questions & Answers

hi I have problem with understanding setuid and setgid

in system I have following users:

Code:

$id -a marek
uid=1001(marek) gid=1001(marek) groups=1001(marek),1002(uzivatelia)

$id -a cepi
uid=1000(cepi) gid=1000(cepi) groups=1000(cepi),4(adm),20(dialout),24(cdrom),46(plugdev),104(lpadmin),115(admin),120(sambashare),123(ftp),1002(uzivatelia)

$id -a tux
uid=1002(tux) gid=1003(tux) groups=1003(tux)

1st.

I have following simple script, for which I set up suid.

Code:

#!/bin/bash
if [ "$(id -u)" != "1001" ]; then
   echo "This script must be run as marek" 1>&2
   #exit 1
fi

ls -l /home/marek
echo $EUID

Code:

chmod u+s /tmp/setuid_script.sh 
$ ls -l /tmp/setuid_script.sh 
-rwSr-xr-x 1 marek marek 227 2010-03-19 20:58 /tmp/setuid_script.sh

Please consider following rights on /home/marek which is called in script
(chmod 700)

Code:

$ls -l /home/
total 16
drwxr-xr-x 60 cepi  cepi  4096 2010-03-19 22:32 cepi
drwx------  2 ftp   ftp   4096 2010-03-19 19:52 ftp
drwx------  2 marek marek 4096 2010-03-19 22:35 marek
drwxr-xr-x  2 tux   tux   4096 2010-03-19 23:00 tux

Now when I run script

as user tux

Code:

$ /tmp/setuid_script.sh 
This script must be run as root
ls: cannot open directory /home/marek: Permission denied
1002

as user cepi

Code:

/tmp/setuid_script.sh 
This script must be run as root
ls: cannot open directory /home/marek: Permission denied
1000

Why script is not running with marek's privileges and don't display contents of marek's home ?


2nd Why I am not possible to set guid for particular file ?

as marek

Code:

$chmod g+s /tmp/setuid_script.sh 
$ ls -l /tmp/setuid_script.sh 
-rw-r-xr-x 1 marek marek 227 2010-03-19 20:58 /tmp/setuid_script.sh

Thank you

You cannot elevate the permissions of a shell by changing the permissions on a shell script file. It is a rule.
Imagine if you are the owner of a file you can change the permissions to whatever you like. You cannot gain root privilege or another user's privilege just by changing the permissions on your file.

Maybe I am wrong understand you, but I am not trying to gain root (or somebody else) privileges by changing the permission on my file (for real I cant imagine how to do that).
What I am trying for is to set permission to my file that way, anybody who executes my file gain my privileges. I dont see any security problem here, cause I set up suid and I choose program (script) which will be suid. (if i make mistake it is my falut) (one thing that I am now thinking is that: If I set up suid for script and somebody edit the script it might be problem, but also I can give just x permissions and not rw so he could not be able to edit or view the script).
What do you mean by "Imagine if you are the owner of a file you can change the permissions to whatever you like" I cant imagine that situation.
And also "You cannot elevate the permissions of a shell by changing the permissions on a shell script file. It is a rule." script is running in own environment so if suid has script also commands in script (ls, cat, awk...) has suid. If I am wrong correct me.
Thank You

EDIT: if somebody from group edit file which had suid, then suid is gone. So now I realy do not see any security issue here.

Sorry, but it just does not work in unix. You cannot elevate the permissions of the shell program by changing the permissions of the shell script file. It is a fundamental rule of unix shell. Whatever you do, do not change the permissions of the shell program itself because you will compromise the security of your system ... or stop it working completely.

The only method I know (bar sudo of course) to achieve the effect you desire is to write programs in C language. Sorry, no more detail will be provided.
If you do write such programs please do confine the permissions to a group with strictly limited and controlled membership and definitely not "other" or "wheel" or whatever.

In case anybody asks, I will not publish the code to override unix permissions. There was a post on this board asking for this last week. This sort of program is open to misuse.

OK thanks, I googled something and seems you're right. the best way is probably binary wrapper.

Standard approach is through setuid. Root user admin can bless a specific set of commands for a user or a group. Highly controlled and contained to a specific execution. Third party apps might even extend such controls for the paranoid admin.

Setuid

---------- Post updated at 21:18 ---------- Previous update was at 21:18 ----------

Standard approach is through setuid. Root user admin can bless a specific set of commands for a user or a group. Highly controlled and contained to a specific execution. Third party apps might even extend such controls for the paranoid admin.

Setuid

I am interested to know how will this be possible. I did read about the binary wrapper, can let me know in more details as to how does it work or how did you make it work?