SUMMARY: Silly Little Question about SETUID

From: Ben Green <>
Date: Fri Jul 18 2003 - 20:49:50 EDT
Thanks to Terry Garnder, Larye Parkins, Rich Teer, Dave Mitchell, & Walter

General consensus:  A script losing the setuid bit when edited by non-root
users is normal behavior.

Helpful tips:
Larye Parkins wrote:
instead of setuid scripts, normally cautious types use a wrapper, which is a
small compiled program that, using setuid privilege, executes a shell script
which is only readable/executable by the setuid user. A simple setuid
wrapper, from the perlsec man page:
#define REAL_PATH "/path/to/script"
main(ac, av)
char **av;
execv(REAL_PATH, av);
The wrapper is setuid, the script isn't, so the script owner can edit away.
However, the script must be protected from compromise, since the wrapper
will run whatever is at the target location.
Walter Heukels wrote:
use vim, which is better in every respect
and doesn't mess up the permissions.

Thanks for all of the responses.


 -----Original Message-----
From: 	Ben Green []
Sent:	Wednesday, July 16, 2003 5:07 PM
To:	''
Subject:	Silly Little Question about SETUID

Fellow managers,

I have been living the superuser lifestyle too long.  On one of my servers,
I recently helped a non-privileged user set the setuid bit on a shell
script.  I used vi on it as root to make a small fix to it and it continued
to work.  However, when the owner of the shell script edits the file with
vi, writing the changes to disk causes the setuid bit to go away.  The user
then has to chmod u+s on the file to get it back.

Maybe I missed this during some discussion years ago, or maybe I have been
doing things as root so much that I have forgotten how the common user's
shell life goes.

Why is this happening?

Ben Green
sunmanagers mailing list
Received on Fri Jul 18 20:53:15 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:16 EST