Re: script execute permission without read permission

Jamie Smith <jamie-77@xxxxxxxx> writes:

On Mar 29, 11:52 pm, Unruh <unruh-s...@xxxxxxxxxxxxxx> wrote:

No. The wrapper MUST be a binary file, not a script itself. Bash refuses to
allow suid/sgid from a script for obvious security reasons.

Well, now I have compiled "wrapper" from this code:
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string>
int main(int argc,char**argv){
if (argc<2) exit(-1);
char cmd[1000];strcpy(cmd,"/bin/sh ");strcat(cmd,argv[1]);
return system(cmd);
}

And you got this wrapper code from where? It does not change the uid.

And you certainly do NOT want it running /bin/sh. That is horrible and a
total security hole.

If you really want a wrapper script here is one

***************************************************

#include <signal.h>
#include <sys/param.h>
#include <stdio.h>
#include <pwd.h>
static char
*trusted_env[]={"PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/local/bin",0};
main(int argc, char * argv[])
{
struct passwd *pwd;
int i;
uid_t uid;
for (i=0;i < NSIG;i++){ if(i!= SIGKILL && i!=SIGCHLD)
{(void) signal(i,SIG_IGN);}
}
uid=getuid();

if ( (pwd = getpwuid(uid))== (struct passwd *)0 )
exit(1);
setuid((uid_t)0);
//perror("setuid: ");
if (argc==2)
{ execle("/usr/local/bin/net","/usr/local/bin/net",argv[1],(char
*)0,trusted_env);
perror("Failed ");
}
setuid(uid);
fprintf(stderr,"network [up|start|down|stop] \n
%d\n",argc);
exit(1);
}
*****************************************8
(This happened to be a wrapper called network for a script called net with
one argument)


Permissions are set exactly as in my previous posting. The error is
the same:
jamie@desktop:~$ ./wrapper script
/bin/sh: Can't open script

Did you mean that bash scripts can't be used this way? Making wrapper
binary didn't change a thing. Would it help to replace the test script
with a C# script and make "wrapper" execute the C# interpreter?

And you expected it to? Read that next sentence again.

That wrapper must do a change of group and must be set up as sgid for that
group.
What do you mean by "must do a change of group"? "script" and
"wrapper" are already in specialg, which has execute permissions on
"script":
--wxr-xr-- 1 jamie specialg 86 2008-03-29 21:16 script
-rwxr-xr-x 1 jamie specialg 7339 2008-03-30 21:28 wrapper

Maybe you need to learn something then.

Note my script changes the user not the group, to user 0 (ie root). You
have to ammend that script appropriately.




.

Relevant Pages

  • Re: (non-root) setuid and permissions
    ... >>To summarize, the script can't be readable by the user, but it must ... Convince someone in power to allow you to run the wrapper program ... the wrapper could then execute your ... If the wrapper program is set-userid root, and it executes the script, ...
    (comp.unix.programmer)
  • Re: wrapper script issue
    ... The arguments need to be passed 'as is' to the script. ... Quoting $* passes a single long argument, which is what I think you're thinking of: ... Which is exactly what is needed with a wrapper. ... the ruby script with out explicit command line invocation of the ruby binary, ...
    (Debian-User)
  • Re: script execute permission without read permission
    ... Jamie Smith wrote: ... "wrapper" are already in specialg, ... because you deny "jamie" (the owner of script) read access to ... Make sure that your wrapper starts the right "script". ...
    (comp.os.linux.misc)
  • Re: (non-root) setuid and permissions
    ... > To summarize, the script can't be readable by the user, but it must ... Convince someone in power to allow you to run the wrapper program ... the wrapper could then execute your ... readable-bit turned off, so the users couldn't get the path via ...
    (comp.unix.programmer)
  • Commandline wrapper: help needed
    ... I'm trying to write a simple commandline wrapper: a script that runs ... another program as a child and relays unbuffered stdin and stdout ... to/from the child process, possibly filtering it. ...
    (comp.lang.python)