Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Hi folks! Im trying to set up a reaaallly basic scrip to allow one user to shutdown my machine without root permisions, seting up SUID as follows: -rwsrwxr-- 1 root ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2009
    Posts
    5

    Question SUID permission on Bash script


    Hi folks!

    Im trying to set up a reaaallly basic scrip to allow one user to shutdown my machine without root permisions, seting up SUID as follows:



    -rwsrwxr-- 1 root wheel 38 Aug 27 23:12 apagar.sh

    $ ./apagar.sh

    Permission denied


    content of script:


    cat apagar.sh

    ]#!/usr/local/bin/bash
    shutdown -p now

    As far as i know, using SUID, script must runs with root permissions... so i shoudnt get "Permission denied", what im doing wrong??

  2. #2
    Just Joined! cfajohnson's Avatar
    Join Date
    May 2007
    Location
    Toronto, Canada
    Posts
    52
    Very vew systems allow SUID scripts. Linux doesn't.

  3. #3
    Just Joined!
    Join Date
    Aug 2009
    Posts
    5
    Quote Originally Posted by cfajohnson View Post
    Very vew systems allow SUID scripts. Linux doesn't.
    do you know if freebsd support SUID?

  4. #4
    Just Joined! cfajohnson's Avatar
    Join Date
    May 2007
    Location
    Toronto, Canada
    Posts
    52
    Quote Originally Posted by henter2007 View Post
    do you know if freebsd support SUID?
    Yes, but not for scripts. I don't know of any that do allow SUID scripts, though I have heard that there are some.

  5. #5
    Linux Newbie tetsujin's Avatar
    Join Date
    Oct 2008
    Posts
    117
    Quote Originally Posted by henter2007 View Post
    Hi folks!

    Im trying to set up a reaaallly basic scrip to allow one user to shutdown my machine without root permisions, seting up SUID as follows:



    -rwsrwxr-- 1 root wheel 38 Aug 27 23:12 apagar.sh

    $ ./apagar.sh

    Permission denied
    Apart from the question of whether your system supports SUID scripts, users outside of "root" and "wheel" do not have permission to execute this script...

    Back in the day, the way around the restriction on SUID scripts was to use Perl - it provides a SUID mode. If the host system disables SUID on scripts, then when you run a SUID Perl script, if Perl is configured for SUID support, it will detect that the script being run has SUID bit set, and it will run its own SUID copy of the Perl interpreter to escalate privileges as required. I couldn't tell you whether it's safe, personally. If you care about security you need to be careful of anything SUID.

    Now, a question: have you considered using "sudo"? I think that's what people typically use for jobs like this...

  6. #6
    Linux Newbie sarlacii's Avatar
    Join Date
    May 2005
    Location
    South Africa
    Posts
    110
    Quote Originally Posted by tetsujin View Post
    Now, a question: have you considered using "sudo"? I think that's what people typically use for jobs like this...
    Yip, that's what I was thinking. If your user "could" run a SUID script that shuts down the machine, that user has access to the shutdown command effectively. As such, given that SUID scripts are forbidden as they cannot be effectively policed, you should just edit your sudo configs to allow the user to run "shutdown" without a password prompt. That way they have exactly the same power "sudo shutdown -p now" but with proper logging etc.

    Setting up sudo is easy, with many web references available. Else, just search the forum.

    Good luck!
    Respectfully... Sarlac II
    ~~
    The moving clock K' appears to K to run slow by the factor (1-v^2/c^2)^(1/2).
    This is the phenomenon of time dilation.
    The faster you run, the younger you look, to everyone but yourself.

  7. #7
    Linux Guru sdousley's Avatar
    Join Date
    Feb 2004
    Posts
    1,790
    Quote Originally Posted by sarlacii View Post
    Yip, that's what I was thinking. If your user "could" run a SUID script that shuts down the machine, that user has access to the shutdown command effectively. As such, given that SUID scripts are forbidden as they cannot be effectively policed, you should just edit your sudo configs to allow the user to run "shutdown" without a password prompt. That way they have exactly the same power "sudo shutdown -p now" but with proper logging etc.

    Setting up sudo is easy, with many web references available. Else, just search the forum.

    Good luck!
    In fact, if the script is setup incorrectly, and setup as SUID, then then, they effectively have a root shell. If you do use a SUID, make SURE that the user CANNOT edit the file, else they could put rm -rf / in the file, and wipe your system.
    "I am not an alcoholic, alcoholics go to meetings"
    Registered Linux user = #372327

  8. #8
    Linux Newbie tetsujin's Avatar
    Join Date
    Oct 2008
    Posts
    117
    Quote Originally Posted by sdousley View Post
    In fact, if the script is setup incorrectly, and setup as SUID, then then, they effectively have a root shell. If you do use a SUID, make SURE that the user CANNOT edit the file, else they could put rm -rf / in the file, and wipe your system.
    There's bigger problems to consider, really...

    Basically SUID programs' behavior can often be influenced by outside factors, such as the value of certain environment variables. A classic one for a SUID binary is to set the value of LD_PRELOAD or LD_LIBRARY_PATH to load in a piece of your own code when you run the program. Shell scripts tend to run a lot of programs from the path, so in addition to the dynamic linker environment variables, a SUID shell script would also be highly vulnerable to changes to the PATH variable.

    (For instance: if your shell script includes the command "rm /var/log/x" and the user alters $PATH to include, at its head, a directory containing a copy of the BASH shell renamed to "rm" - then when the script is run, the user will get a root shell.)

    This vulnerability, above and beyond what may be exploited in a SUID binary, is the basic reason why SUID shell scripts are normally considered fundamentally insecure. (Though it seems the LD_LIBRARY_PATH and LD_PRELOAD ones would be just as bad, honestly...)

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by henter2007 View Post
    Hi folks!

    Im trying to set up a reaaallly basic scrip to allow one user to shutdown my machine without root permisions, seting up SUID as follows:
    Look at sudoer. This will be your best bet for allowing someone to shutdown your system. You can allow then to run the shutdown , and only the shutdown, program as root.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Just Joined!
    Join Date
    Sep 2010
    Posts
    1
    An old problem~aaaah.It is simple because bash does not allow been used as an SET-UID program.So what you should do is install zsh and change symbolic link.link /bin/sh to /bin/zsh.

    $ su
    Password: (enter root password)
    # cd /bin
    # rm sh
    # ln -s zsh sh

    then you can use your script.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •