(snip)From: Dan Nelson <[EMAIL PROTECTED]> To: "Gerald S. Stoller" <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: set user-id Date: Wed, 23 Jul 2003 14:23:05 -0500
> > Well, why don't you just chmod 4755 /bin/ksh, then. :-D
> with a slight change, I copied ksh to /bin with the name kshroot ,
> made sure
> that the group on it is the group of root , and then did
> chmod 4750 /bin/kshroot
> Thus only the users who are 'close to' root (e.g., generally users who have the
> root password so they can become root if necessary) can run this shell
> whenever they need to act as root , and can use it in scripts (first line:
> #!/bin/kshroot). Again
> note that these scripts can only be invoked by users who are 'close to'
> root. For the other users, I'd have to use a sudo.
That will work, too.
-- Dan Nelson [EMAIL PROTECTED]
I suggest that the FreeBSD system have an argument (or option,
if arguments are not allowed) on the kernel which will have it (when the
setuid/setgid is on a script and the shell/interpreter is hallowed/sanctioned)
invoke the interpreter and express the setuid/setgid of the script on it,
and then have it interpret the script. If it can’t be done this way, then make
the feature a configuration option at the time of building the kernel.
Care must be taken in implementing the setuid feature. As a friend noted:
"Suppose
current use is U
/bin/prog is setuid to P
script is setuid to S and begins #!/bin/prog
then the ksh command
prog script runs as P
prog <script runs as P
script runs as S
. script runs as U
That's the way it is on Unix systems that I use,
and the freeBSD man page seems to agree."
_________________________________________________________________
Compare Cable, DSL or Satellite plans: As low as $29.95. https://broadband.msn.com
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
