Date: Wed, 05 Sep 2001 14:21:40 +0200 From: Piet Delport <pjd@siberiyan.dyndns.org> To: freebsd-chat@freebsd.org Subject: Scripts and setuid Message-ID: <20010905142139.A2190@athalon>
next in thread | raw e-mail | index | archive | help
--45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Tidings, Some background: Having recently discovered cdcontrol(1), and finding it useful for playing CDs from the console, i was in search of a way to cleanly run it as a non-root user. I initially tried playing around with the modes of /dev/acd0c and the /usr/sbin/cdcontrol binary, which works, but has the disadvantage of being overwritten whenever i "make world". So my next solution was to create a setuid root shell script in /usr/local/sbin called cdc, which simply contains: #!/bin/sh /usr/sbin/cdcontrol -f /dev/acd0c "$@" and has the dual advantage of saving me some typing, and being immune to "make world" clobberage. It didn't work however, always giving permission denied errors despite any combination of setuid and setgid modes and ownerships i tried. After some testing with "id" and R'ing of TFM, i eventually stumbled across this bit from execve(2): The set-ID bits are not honored if the respective file system has the nosuid option enabled or if the new process file is an interpreter file. Maybe i'm just dense, but this came as a surprise for me. :) I was always under the general impression that the setuid bit works on all executable files (despite never trying it firsthand before now, obviously), and can't see how it's harmful to make scripts setuid[1]. So, to satisfy my own curiosity, why is this so? Historical, technical, or traditional reasons, or what? (And in case anyone is interested, i'm currently settling for making cdcontrol(1) setuid root, and calling it from cdc. Not the best solution by far, i know, but this is mainly an informal desktop box. hence me playing CDs on it in the first place.) [1] Well, not more harmful than making binary executables setuid in the first place. --=20 Piet Delport <siberiyan@mweb.co.za> Today's subliminal thought is: --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7lhjTzRUP82sZFCcRAk5xAJ98Cj2S9xZ7Auop8mr3jImBPV+Z6QCffnxO pjn3MiVjDvrNhOi2uUdjtmw= =HLTJ -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010905142139.A2190>