Re: writing logs in a file that needs root previlages



On Thursday 03 June 2010 05:30 in comp.os.linux.misc, somebody
identifying as Rahul wrote...

I have a bash wrapper command with permissions:
-rwxr-xr-x 1 root root


Thus only root can modify this wrapper but any user can use it as a
command. This is a simple bash script.

Within this script I need to write a comment to a log file. I'd prefer
if this log file was only readable / modifyable by root alone. Is
there a way to do this?

Yes, you can set the script's SUID bit so that whoever runs it, runs it
with the privileges of the owner, i.e. root.

However, depending on what the script does - we don't know that as
you're not telling us - this may not be a valid option. The script
might have some privilege escalation exploit.

I tried giving the log file these permissions:
-rw-rw-r-- 1 root root

But then when I run the command as a regular user it seems to not be
able to write to the log file:
/opt/bin/qsub: line 33: /var/log/qstats.submit.rpn: Permission denied

Of course, if I make the log file world writable all is OK but then
the point behind keeping the logs secure is defeated.

One way I was thinking of was a previlage escalation at the point the
log needs to be written. But setuid seems to be a C call. Anyway of
doing this in a bash script?

Just change the permissions on the executable - or eventually, if
present, on the executable it calls upon to do the writing to the log -
to include the SUID bit.


--
*Aragorn*
(registered GNU/Linux user #223157)
.