SUMMARY: SUID script

From: Bill Townsley (billt@dat.com)
Date: Tue Oct 01 1996 - 10:28:07 CDT

OK! Mercy! SUID scripts are a Bad Thing. In fact a Huge Security Hole.
I promise I won't write one or even mention them ever again.

ORIGINAL POST:
> Sun Managers,
>
> I've created a Bourne shell script under Solaris 2.4 which basically
> looks for defunct processes and kills them. I'd like the operations
> staff to be able to run this script without requiring the root
> password. Every attempt I've made at making this script SUID has
> failed. Joe User gets a "/bin/sh: kill: permission denied" message.
> The permissions on the script are "-rwsr-xr-x" ie 4755. I assume
> there's more to a SUID script than I'm aware...can anybody help me
> out?

RESPONSE SUMMARY:

1) you can do suid scripts in Solaris 2.x
2) write a C program (you can do suid execs) that calls the script (a wrapper)
3) do it in Perl/ksh/C
4) run it in cron as root
5) use sudo/wiz/opcomm which allow certain users to execute certain
commands as root in a controlled way.

Many thanks to all the reponders for their firm but kind suggestions:
"Nicholas R LeRoy" <nleroy@norland.com>
Jim Ausman <ausman@wired.com>
manderso@neon.mitretek.org (Mark S. Anderson)
Martin Espinoza <drink@sei.com>
brownfld@kai.com (Ken Brownfield)
Nicky Ayoub <Nicky.Ayoub@Microchip.COM>
ahoerter@netcom.com (AMH)
foster@bial1.ucsd.edu
moreilly@fsaia.qld.gov.au (Mark J O'reilly)
fpardo@tisny.com (Frank Pardo)
Ric Anderson <ric@rtd.com>
miquel@proton.uab.es (Miquel Cabanas. BBM-UAB)
Rich Kulawiec <rsk@itw.com>
felipe@pty.com (Ing. Felipe Tribaldos)
Japie Greeff <jgre@amdahl.co.za>
lemercie@dr.gdf.fr (LEMERCIER Laurent)
Trevor Morrison <trevor@if.ssci.liv.ac.uk>
Herbert Wengatz <hwe@uebemc.siemens.de>
blymn@awadi.com.au (Brett Lymn)
rtrzaska@uk.mdis.com (Ray Trzaska)
root@wisdom.Maf.Nasa.Gov
"David Evans" <djve@deakin.edu.au>
Mark Belanger <mjb@ltx.com>
Brad Young <bbyoung@amoco.com>
mshon@sunrock.East.Sun.COM (Michael J. Shon {*Prof Services} Sun Rochester)
ajs6143@eerpf001.ca.boeing.com ( Andy J. Stefancik 237-2164 )
Wanda Perrier <PERRIEW@ex1.wes.army.mil>
irac@gate.comdata.com (Ira Childress)
springer@aitsun500.tci.com (Jerry Springer)
Richard Pieri <ratinox@unilab.dfci.harvard.edu>
Cameron Humphries <cameron@daedalus.com.au>
gj@qsun.ho.att.com (George P Josilo)
rich@loopexpert.com (Rich Casto)
Rahul Roy <roy@bluestone.com>
mrs@cadem.mc.xerox.com ("Michael Salehi x22725")

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:11 CDT