suid - question

[Kay]

Hello,

hope, the following is not too elementary. My OS is Linux.

I want to run a command like "fuser -9 -k /dev/lp0" in a shell script
called i.e. reset_port, which has to be executable by
non-superusers. The process blocking the device seems to belong to the
user "lp". When executing the script as root user, the process using
the device is killed as desired. But when running the script as a
normal user, fuser /dev/lp0 neither shows nor kills the process.

I have tried permissions which render the following attributes by
ls -l (output truncated after user and group name):

-rwSr-xr-x 1 lp lp
-rwSr-sr-x 1 lp lp
-rwSr-xr-x 1 root root
-rwSr-sr-x 1 root root

I understand, that suid (chmod u+s reset_port) should let the script
run with superuser privileges, but in my case it does not work, so I
guess, I have misunderstood something.

Thanks for answers!
Kay

[Bill Marcum]

On Thu, 01 Apr 2004 18:40:09 +0200, Kay
<news_nospam@web.de> wrote:

>
> I understand, that suid (chmod u+s reset_port) should let the script
> run with superuser privileges, but in my case it does not work, so I
> guess, I have misunderstood something.
>

For security reasons, the suid bit is ignored on scripts. Try sudo.

--
Nothing is illegal if one hundred businessmen decide to do it.
-- Andrew Young

[Davide Bianchi]

Kay <news_nospam@web.de> wrote:

> I understand, that suid (chmod u+s reset_port) should let the script
> run with superuser privileges,

No, on scripts you can't use the SUID bit. You need to use sudo
within the script.

Davide

--
| It would be nice if the Food and Drug Administration stopped issuing
| warnings about toxic substances and just gave me the names of one or
| two things still safe to eat.
|

[Barry Margolin]

In article <6w65cj8xee.fsf@pino.iskp.uni-bonn.de>,
Kay <news_nospam@web.de> wrote:

> I understand, that suid (chmod u+s reset_port) should let the script
> run with superuser privileges, but in my case it does not work, so I
> guess, I have misunderstood something.

Most versions of Unix ignore setuid on scripts, because there are
security implications of it.

Use sudo.

--
Barry Margolin, [email]barmar@alum.mit.edu[/email]
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

[Kay]

Barry Margolin <barmar@alum.mit.edu> writes:

> In article <6w65cj8xee.fsf@pino.iskp.uni-bonn.de>,
> Kay <news_nospam@web.de> wrote:

>> I understand, that suid (chmod u+s reset_port) should let the script
>> run with superuser privileges, but in my case it does not work, so I
>> guess, I have misunderstood something.

>
> Most versions of Unix ignore setuid on scripts, because there are
> security implications of it.
>
> Use sudo.
>
> --
> Barry Margolin, [email]barmar@alum.mit.edu[/email]
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***

Hello!

Thanks for the answer, I was not very aware of this utility. Now I got
it working.

I should like to put a further question, which as well may be the
result of a certain lack of understanding.

sudo offers the possibility of letting user A run commands as user
B. If NOPASSWD is not specified in the sudoers file, user A would have
to know the password of user B, so that he could log in as user B
anyway. Do I get it correctly, then, that this way of applying sudo
would not make much sense?

Cheers,
Kay

[Davide Bianchi]

Kay <news_nospam@web.de> wrote:

> If NOPASSWD is not specified in the sudoers file, user A would have
> to know the password of user B

No. The password requested by sudo is user's A password. Sudo need
to be sure that is user A trying to execute the command and not
someone else that just stumbled into an open console. Otherwise
the whole exercise is pointless and user A can just su - B and
become user B with flying colors.

Davide

--
| In a medium in which a News Piece takes a minute and an "In-Depth"
| Piece takes two minutes, the Simple will drive out the Complex. --
| Frank Mankiewicz
|