-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hinko Kocevar wrote:
> Hi,
>
> I'm trying to touch a file in /sbin during boot time
> and would like to do that with a normal user by running
> SUIDed shell script.
> I have following script:
> hin...@alala /tmp $ cat test.sh
> #!/bin/sh
>
> touch /sbin/foo.bar
> exit $?
>
> hin...@alala /tmp $ sudo chmod +x test.sh
> hin...@alala /tmp $ sudo chown root:root test.sh
> hin...@alala /tmp $ sudo chmod +s test.sh
> hin...@alala /tmp $ ls -l test.sh
> -rwsr-sr-x 1 root root 32 Mar 2 09:27 test.sh
> hin...@alala /tmp $ sh -x test.sh
> + touch /sbin/foo.bar
> touch: cannot touch `/sbin/foo.bar': Permission denied
>
> Can somebody help me with that?
>
> Thank you!
>
> Best regards,
> Hinko
Linux does not support s[ug]id scripts, however, you can emulate the
effect of it using sudo - in your shell script, do the following:
#!/bin/sh
[ $(id -u) -ne 0 ] && exec sudo "$0" "$@"
# put the rest of the script here
and add a line to /etc/sudoers that reads:
ALL ALL=NOPASSWD: /path/to/script
This will allow any user (the first "ALL") from any host (the second
"ALL") to run /path/to/script as root:root without any authentication,
by simply calling /path/to/script (or just "script", if it happens to be
in the $PATH).
NB - I havn't actually tried this recently, so I might be wrong on some
of the specifics, but the general idea should hold.
Also, if you want to restrict *who* can run the script, you can change
the first "ALL" to something else, see sudoers(5) for details - also you
can restrict *where* it can be run by changing the second "ALL".
If you want to make the user enter *their own* password, remove the
"NOPASSWD:". If you want to make the user enter *root's* password, read
the man page - I don't remember the option, but I know there is one.
- --
ABCD
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmrneIACgkQOypDUo0oQOqhCwCgqspw4mIaGhDdkjyFkYbUnmMF
DgAAn0rG+V5ZFmwp8GWPPUc80cyB0EGB
=NE1x
-----END PGP SIGNATURE-----
