Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Unix script should run with root premissions

 
Brian Tolstrup
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there

I would like to create a unix-script that will call several other scripts, but with root-premission.

The case is that a non-root-account should be able to start this script, and by this get some work done as if they were root.

I have been seraching the net trying to find something - one person told me that if was something about a "sign bit" I should add to the script???

Hope that someone can help.

Regards
Brian Tolstrup
 
Guy Allard
Ranch Hand
Posts: 776
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You want to look at , check the man page.

Guy
 
Brian Tolstrup
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Guy

Will this work on a Solaris installation ( running on SUN servers ) ?

regards
Brian Tolstrup
 
Adam Welch
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
With Solaris, and *nix generally, you could try a setuid approach. See man page for "set user ID" or "setuid." Prior poster is correct that sudo is better - see if you can find a port, perhaps from sunfreeware.com.
 
Brian Tolstrup
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all

I have reading about SUID and SUDO and have some questions you guys might be abel to answer.

Using SUDO I will be abel to give some users the privilliges to execute commads normaly restrikted to root-account. In my case the abbility to create users. But who do I restrict the use from creating a user with root-privilliges and the mis-use the system as a user with root-premissions?

The same question goes for if I use SUID. How do I restrict the user from creating a new user which have root-premissions or root-privilligies?

I hope someone can help me by directing me to some articels or give some answers on how to get pasted this security risk.

Regards
Brian Tolstrup
 
Stefan Wagner
Ranch Hand
Posts: 1923
Linux Postgres Database Scala
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I didn't test it, but I guess, you have to make the script unwritable for the user, who is allowed to execute it as root.
And you have to ensure, that none of the called commands inside the script, is writable, and recursively so on for scripts or binaries, which call scripts or binaries.
 
Ernest Friedman-Hill
author and iconoclast
Marshal
Pie
Posts: 24208
35
Chrome Eclipse IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
More importantly, though: if you allow a general user to run a program that creates new accounts, runs as root, and can create accounts with root privileges, then you've given that user the keys to the system.

One thing you might do is to write a simple shell script or wrapper program which in turn runs /usr/sbin/useradd (or whatever is appropriate on your system) and passes along all the options except the -u switch (or whatever switch specifies the UID on your system.) This would prevent the user from creating an account that mimics root's (or anyone else's) UID. They could only create a user with a new, automatically allocated UID.

This is tricky stuff, so be careful.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic