Restricting Usage of Setuid Programs to the Admin User In MacOsx
This is a quote from the Apple security configuration (you can download it from Apple)
" Using ACLs to Restrict Usage of Setuid Programs
The ACL feature of Mac OS X can also be used to restrict the execution of setuid
programs. Restricting the execution of setuid programs to administrators prevents
other users from executing those programs. It should also prevent attackers who are
currently running with ordinary user privileges from executing the setuid program and
trying to elevate their privileges. All users on the system are in the “staff” group, so the
commands below allow members of the admin group to execute <program name>,
but deny that right to members of the staff group:
Only the first command
has been accepted. The second
has been refused with the answer:
-bash: syntax error near unexpected token `newline'.
What I want to achieve is restricting the execution of setuid programs to the admin account. The other accounts should not be able to do it.
Can somebody help me and tell me what is worong and why "-bash: syntax error near unexpected token `newline" appears?
It'd help if you pasted exactly what you did. But thinking better, the # would need a space to mess up parsing. I believe you're include the brackets, don't do that.
I'm trying - as an ordinary user - to create a file in the root directory of my system. For that purpose I wrote a simple script that echoes a string into a file. I made the file executable, used sudo to change ownership to root. Like this:
$ cat hello
#!/bin/bash
echo hello > /hello
$... (5 Replies)
Just learning about the privilege escalation method provided by setuid. Correct me if I am wrong but what it does is change the uid of the current process to whatever uid I set. Right ?
So what stops me from writing my own C program and calling setuid(0) within it and gaining root privileges ?
... (2 Replies)
Hey guys,
Suppose i run passwd via bash shell. It is a suid program, which temporarily runs as root(owner) and modifies the user entries.
However, when i write a C file and give 4755 permission and root ownership to the 'a.out' file , it doesn't run as root in bash shell. I verified this by... (2 Replies)
Hi,
I need to work on restricting the Linux commands to the ADMIN user to some extent. It means for example, Admin users should not use passwd command to change the password of "root" or other important accounts like oracle, etc.,
So, I want to know which commands should be restricted upto which... (5 Replies)
Hi
I am trying to automate the install of a package, I realise that I need to create an admin file, but as part of the install I am asked if I want to install these as setuid/setgid files, I want to say yes.
What value am I supposed to use for setuid= in the admin file
Thanks (1 Reply)
Hello,
For one of our servers, we have had people trying to illegally loggon using the ssh service.
My manager has asked me to restrict ssh access to users in our internal network but close ssh access to the "outside" world.
Could someone at the very least point me to some resources on the... (7 Replies)
Hi,
Im working for a company that has over 400+ unix/solaris boxes.
Obviously when we get a new unix guy join the company, its take us AGES to set them up on all these boxes.
Can people recommend any programs/packages that can be added to our unix/solaris boxes to make this easier?
... (2 Replies)
Hi,
I want the user to enter only numeric values and also he should only enter
2 digits only ( eg 23 or 23 or 03 any 2 digits)
For the above purpose how should i declare my variable ?
integer value
if I read 03 in variable value then it gives me error ...also user can enter n number... (4 Replies)
This may be a dumb question, but I've been wondering why programs such as ping and traceroute must be setuid? Are there some restrictions which prevent normal users from accessing the world via sockets?
$ pwd
/bin
$ ls -l ping traceroute
-rwsr-xr-x 1 root root 35616 Apr 7 2005 ping... (1 Reply)
Hello, Do you guys know how does the root user works in this system?
from the terminal i try to su to root, and i thought the password was the same as the macosx password, at the /etc/passwd file the passwd field appears as *, so it's system bussines only, is there a way to become root? i... (6 Replies)