From: Wayne on
On 6/9/2010 6:45 AM, pk wrote:
> Luis P. Mendes wrote:
>> ...
>> Since the suid bit in 'xx.sh' is set, why do I get:
>> scripts$ ./xx.sh
>> bash: ./xx.sh: Permission denied
>> when I try to run it with my 'lp' user?
> ...
> In Linux (and probably other systems), SUID is ignored on scripts.
> If you *really* want that, you can write a binary wrapper to the script.

You know a lot of people say this, but I've never been able to get
it to work. I've tried using "system" and various "exec" calls, but
all ignore the EUID when running the script. Searching the Internet
for quite some time failed to locate any examples.

Here's what I've tried, please tell me what I'm missing:

$ cat bar.c
int main ( void )
{
return system( "bash bar.sh" );
}

$ cat bar.sh
cat secret.txt

$ ls -l bar* secret.txt
-rwsr-x--x. 1 adm wayne 4899 2010-06-10 22:44 bar
-rw-r-----. 1 wayne wayne 54 2010-06-10 22:44 bar.c
-rw-r-----. 1 wayne wayne 15 2010-06-10 22:42 bar.sh
-r--------. 1 adm root 225 2010-05-29 21:15 secret.txt

$ ./bar
cat: secret.txt: Permission denied

--
Wayne
From: Seebs on
On 2010-06-11, Wayne <nospan(a)all.invalid> wrote:
> Here's what I've tried, please tell me what I'm missing:

You're missing a setuid.

> $ cat bar.c
> int main ( void )
> {
setuid(geteuid());
> return system( "bash bar.sh" );
> }

The above is massively oversimplified, but is about how it was done
in 1988 or so. It may still work, but check the man pages. Basically,
what you need to do is make your real user-id bit be the special
value, because, as you note, effective user-id is ignored.

Basically, the main thing effective user-id does is let you set your
real uid to it. :P

-s
--
Copyright 2010, all wrongs reversed. Peter Seebach / usenet-nospam(a)seebs.net
http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated!
From: Wayne on
On 6/10/2010 11:04 PM, Seebs wrote:
> On 2010-06-11, Wayne <nospan(a)all.invalid> wrote:
>> Here's what I've tried, please tell me what I'm missing:
>
> You're missing a setuid.
>
>> $ cat bar.c
>> int main ( void )
>> {
> setuid(geteuid());
>> return system( "bash bar.sh" );
>> }
>
> The above is massively oversimplified, but is about how it was done
> in 1988 or so. It may still work, but check the man pages. Basically,
> what you need to do is make your real user-id bit be the special
> value, because, as you note, effective user-id is ignored.
>
> Basically, the main thing effective user-id does is let you set your
> real uid to it. :P
>
> -s

That didn't work but you put me on the right track. For Linux, this
worked:

$ cat bar.c
#include <sys/types.h>
#include <unistd.h>

int main ( void )
{
setreuid( geteuid(), geteuid() );
return system( "bash bar.sh" );
}

Thanks for the hint!

--
Wayne
From: Wayne on
On 6/10/2010 11:32 PM, Wayne wrote:
> On 6/10/2010 11:04 PM, Seebs wrote:
>> On 2010-06-11, Wayne <nospan(a)all.invalid> wrote:
>>> Here's what I've tried, please tell me what I'm missing:
>>
>> You're missing a setuid.
>>
>>> $ cat bar.c
>>> int main ( void )
>>> {
>> setuid(geteuid());
>>> return system( "bash bar.sh" );
>>> }
>>
>> The above is massively oversimplified, but is about how it was done
>> in 1988 or so. It may still work, but check the man pages. Basically,
>> what you need to do is make your real user-id bit be the special
>> value, because, as you note, effective user-id is ignored.
>>
>> Basically, the main thing effective user-id does is let you set your
>> real uid to it. :P
>>
>> -s
>
> That didn't work but you put me on the right track. For Linux, this
> worked:
> ...

A follow-up: I needed to refine the C program a bit to eliminate
any error or warning messages:

$ cat wrapper.c
/* wrapper.c - a C wrapper program that, when suid, can
* run shell scripts as another user.
* Written 6/2010 by Wayne
*/

#define _XOPEN_SOURCE 500

#include <stdlib.h>
#include <unistd.h>

int main ( void )
{
/* Set the real and effective UID to the current effective UID: */
setreuid( geteuid(), geteuid() );
return system( "bash wrapper.sh" );
}

I think this should work on Unix too.

I discovered on anomaly though. Running:
$ ./wrapper
works fine! But root can't run it:
# ./wrapper
bash: wrapper.sh: Permission denied
(Of course, root can run the shell script directly.) I don't understand
the problem here with setreuid; even if that fails when the RUID is root,
why doesn't the "system" call work?

--
Wayne
From: Sven Mascheck on
Seebs <usenet-nospam(a)seebs.net> wrote:
> On 2010-06-11, Wayne <nospan(a)all.invalid> wrote:

> You're missing a setuid.

>> $ cat bar.c
>> int main ( void )
>> {
> setuid(geteuid());
>> return system( "bash bar.sh" );
>> }

Alternatively:
If the euid is different from the uid, then some shells need to be advised
not to set back the euid. The SVR4 sh and bash-2 ff. require "-p",
ksh88 and 93 activate it automatically.

return system( "/path/to/bash -p /path/to/bar.sh" );