Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 Feb 2016 00:48:15 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Polytropon <freebsd@edvax.de>
Cc:        Arthur Chance <freebsd@qeng-ho.org>, freebsd-questions@freebsd.org
Subject:   Re: minimize use of root account
Message-ID:  <20160220235704.P51785@sola.nimnet.asn.au>
In-Reply-To: <mailman.111.1455969602.79622.freebsd-questions@freebsd.org>
References:  <mailman.111.1455969602.79622.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In freebsd-questions Digest, Vol 611, Issue 6, Message: 6
On Fri, 19 Feb 2016 22:11:11 +0100 Polytropon <freebsd@edvax.de> wrote:
 > On Fri, 19 Feb 2016 14:52:53 +0000, Arthur Chance wrote:
 > > On 19/02/2016 11:05, Polytropon wrote:
 > > > On Fri, 19 Feb 2016 16:29:43 +1100, Yudi V wrote:
 > > >> Hi all,
 > > >>
 > > >> currently I use the below script to load geli devices and import zpool. It
 > > >> needs to be run as root.
 > > >> how to run this script as normal user, is there a group that the user needs
 > > >> to be part of?
 > > >
 > > > No, not for this task.
 > > >
 > > > There are different ways to do it.
 > > >
 > > > 1. You can set the script itself to "run as root" (chmod +s) when
 > > >     the script is owned by root:root. Regular users may then execute it.
 > > 
 > > I thought suid scripts were disabled years ago because they were a major 
 > > security loophole?
 > 
 > You're right - it's the case.
 > 
 > % ll root_test.sh 
 > -rwsr-sr-x  1 poly  poly  24 2016-02-19 19:25:20 root_test.sh*

I suppose you tried it with the script owned by root?  Your example is 
owned by yourself, and I hope you wouldn't expect to get root access by 
running a script you'd set suid to yourself? :)

I did try with and without sgid also, to confirm it won't work, even 
when blessed by root:

smithi@x200:~ % ll root_test.sh
-rwsr-sr--  1 root    wheel           24 Feb 21 00:05 root_test.sh

 > % cat root_test.sh
 > #!/bin/sh
 > id -u
 > whoami
 > 
 > % ./root_test.sh
 > 2000
 > poly
 > 
 > % sudo ./root_test.sh
 > 0
 > root
 > 
 > I think this is fully intended.

Same here.  I feel safer knowing suid root won't work, and thanks also 
to Matthew for confirmation that even fdescfs doesn't enable that, so 
it's still a 'reliable myth'.

cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160220235704.P51785>