[TriLUG] running script as mail alias, script running as specific user

Jon Carnes jonc at nc.rr.com
Tue Jan 15 16:21:47 EST 2002 

In this case the shell was bash.  So Matt and I tried this and what worked
is copying /bin/bash to a directory that only had rights for the user
"mail". Then we used chown to set the owner to lorax and chmod to set uid on
the shell.
===
   mkdir  /home/lorax/bin
  chown  mail.mail  /home/lorax/bin
  chmod  0700  /home/lorax/bin
  cp  /bin/bash  /home/lorax/bin/bash_lorax
  chown  lorax.lorax  /home/lorax/bin/bash_lorax
  chmod u+s,g+s /home/lorax/bin/bash_lorax
===

Now I write my script "thetrees" and put it in: /home/lorax/bin/
So it too is now only executable by the user "mail".

The script starts with:
  #! /home/lorax/bin/bash_lorax
  #  I am the lorax I speak for the trees....
  #  I'm executable by "mail" but I run as user "lorax"
  ...

Thanks Matt!

Jon
----- Original Message -----
From: "Matthew Hoover" <matth at haht.com>
To: <trilug at trilug.org>
Sent: Tuesday, January 15, 2002 3:20 PM
Subject: Re: [TriLUG] running script as mail alias, script running as
specific user


> > suid bit is ignored for scripts by design i think
> >
> > I think I once accomplished this by using #!/bin/su -someargs
> > But this would only work if the originating user was root.
> >
> > Or you could wrap the script with another script that says su user -c
> > "/usr/.../thetrees"
> > Again this would require the originating user to be root.
>
> Another thing that you could try is to create a link to the shell
> executable,
> and then suid the link.  Then instead of directly calling the script, call
> the
> shell (via the link), with the script as an argument.  Since the
permissions
> are stored on the link, not on the shell, this should not cause problems
for
> other users of the shell.  There are some obvious security issues that
will
> have to be dealt with, but by placing the link to the shell in a directory
> with very limited access, you should be able to block people from
> accessing it.
>
> Of course, I haven't tried this, but it would be interesting to see if it
> works.  If only I had more time....;-)
> --matt hoover
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug

More information about the TriLUG mailing list