From owner-freebsd-questions@freebsd.org  Sat Feb 20 13:48:35 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A9BAAAF9F1
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sat, 20 Feb 2016 13:48:35 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CC55B8CD
 for <freebsd-questions@freebsd.org>; Sat, 20 Feb 2016 13:48:33 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u1KDmFCT099489;
 Sun, 21 Feb 2016 00:48:15 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Sun, 21 Feb 2016 00:48:15 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Polytropon <freebsd@edvax.de>
cc: Arthur Chance <freebsd@qeng-ho.org>, freebsd-questions@freebsd.org
Subject: Re: minimize use of root account
In-Reply-To: <mailman.111.1455969602.79622.freebsd-questions@freebsd.org>
Message-ID: <20160220235704.P51785@sola.nimnet.asn.au>
References: <mailman.111.1455969602.79622.freebsd-questions@freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 13:48:35 -0000

In freebsd-questions Digest, Vol 611, Issue 6, Message: 6
On Fri, 19 Feb 2016 22:11:11 +0100 Polytropon <freebsd@edvax.de> wrote:
 > On Fri, 19 Feb 2016 14:52:53 +0000, Arthur Chance wrote:
 > > On 19/02/2016 11:05, Polytropon wrote:
 > > > On Fri, 19 Feb 2016 16:29:43 +1100, Yudi V wrote:
 > > >> Hi all,
 > > >>
 > > >> currently I use the below script to load geli devices and import zpool. It
 > > >> needs to be run as root.
 > > >> how to run this script as normal user, is there a group that the user needs
 > > >> to be part of?
 > > >
 > > > No, not for this task.
 > > >
 > > > There are different ways to do it.
 > > >
 > > > 1. You can set the script itself to "run as root" (chmod +s) when
 > > >     the script is owned by root:root. Regular users may then execute it.
 > > 
 > > I thought suid scripts were disabled years ago because they were a major 
 > > security loophole?
 > 
 > You're right - it's the case.
 > 
 > % ll root_test.sh 
 > -rwsr-sr-x  1 poly  poly  24 2016-02-19 19:25:20 root_test.sh*

I suppose you tried it with the script owned by root?  Your example is 
owned by yourself, and I hope you wouldn't expect to get root access by 
running a script you'd set suid to yourself? :)

I did try with and without sgid also, to confirm it won't work, even 
when blessed by root:

smithi@x200:~ % ll root_test.sh
-rwsr-sr--  1 root    wheel           24 Feb 21 00:05 root_test.sh

 > % cat root_test.sh
 > #!/bin/sh
 > id -u
 > whoami
 > 
 > % ./root_test.sh
 > 2000
 > poly
 > 
 > % sudo ./root_test.sh
 > 0
 > root
 > 
 > I think this is fully intended.

Same here.  I feel safer knowing suid root won't work, and thanks also 
to Matthew for confirmation that even fdescfs doesn't enable that, so 
it's still a 'reliable myth'.

cheers, Ian