running program with GID set

[dwcasey]

I have user director that needs to run a program as root. Before I try using sudo, I thought I would try to use the set-ID approach first.

I've modified my script with chmod ug+s pcmserve19.sh so it looks like:

-rwsr-sr-x 1 root system 199 Feb 21 14:23 pcmserve19.sh

The script looks like:

LIBPATH=/usr/pcm190
PCM_DATA=/usr/pcm190/
export LIBPATH
export PCM_DATA
# Start pcmserve version 19 in background
cd /usr/pcm190/
./pcmserve19 -b -z -l

When I try to run it as user director, I says it can't find the necessary libraries...as if the /usr/pcm190 exports did not "take"?

When user director trys to set those vars, are they not being "seen" by the pcmserve19 program?

 

[PHV]

For me, setuid and setgid bits are ineffective for a shell script.

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[dwcasey]

I've changed it so that it's only set on the program being executed from the script, ./pcmserve19 -b -z -l and I'm still getting the error that those vars pointint to /usr/pcm190 are not being set. Thoughts?

 

[elgrandeperro]

Because there are so many shell exploits, I believe it is turned off in the Solaris kernel in the exec call.

You know it can be done in sudo. The other way is to write a small C wrapper that validates the "runner" and then runs the command.

gene

 

[SamBones]

What is the exact error message you got?

The exports have nothing to do with the script being a SUID script or not. They should work regardless of the user id. Are you sure they are being specified correctly? I notice one has a trailing slash and one doesn't.

Are you sure all of the libraries are there? Try the command "[tt]ldd /usr/pcm190/pcmserve19[/tt]" and see if all the libraries it needs are where you think they are. There might be some loaded using [tt]LD_LIBRARY_PATH[/tt] that the director user doesn't have defined. You should compare the [tt]LD_LIBRARY_PATH[/tt] variable for a user that can run it with the user that can't.

And SUID scripts do work for shell scripts on Solaris. You just need to be careful what you put into the script (i.e. nothing that allows shelling out of (editors, ftp, etc)).

Hope this helps.

 

[dwcasey]

Under root, using the script, this runs without issue. Only as user director, does it have a problem.

I ran ldd on teh pcmserve19 program and they both have the same list of files. And, from what I can tell, they are all readable by the director user.

 

[PHV]

Anyway, ALK claims you must be root to run pcmserve ...

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[SamBones]

A SUID script only changes "effective UID", not actual UID. Your process still has both IDs. As PHV says, "ALK claims you must be root to run pcmserve". Then you pretty much have to be [tt]root[/tt].

Go ahead and try [tt]sudo[/tt], it's not that painful!

 

[dwcasey]

Thanks Sambones...I thought effective was same as actual, but that appears to not be the case. Thanks.

 

[SamBones]

Try creating a SUID root script that just has the "[tt]id[/tt]" command in it. On my Solaris machines it still shows my login ID as the UID, and shows [tt]root[/tt] as EUID. The program can test for either one of these if it's trying to validate who you are.