Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!olivea!uunet!psgrain!ee.und.ac.za!tplinfm From: barrett@lucy.ee.und.ac.za (Alan Barrett) Newsgroups: comp.os.386bsd.bugs Subject: Secure SUID scripts Date: 15 Jun 1993 09:26:03 +0200 Organization: Elec. Eng., Univ. Natal, Durban, S. Africa Lines: 27 Message-ID: <1vjtib$725@lucy.ee.und.ac.za> References: <crt.739809100@tiamat.umd.umich.edu> <CGD.93Jun11103630@eden.CS.Berkeley.EDU> <crt.739850733@tiamat.umd.umich.edu> <27957@ksr.com> NNTP-Posting-Host: lucy.ee.und.ac.za In article <27957@ksr.com>, jfw@ksr.com (John F. Woods) writes: > perl has a scheme for enabling setuid perl scripts to work (which it does > indirectly, without kernel support). If you really need SUID scripts to work, > investigate that solution. Don't "fix" the kernel to enable SUID scripts I recommend Maarten Litmaath's "indir" wrapper, available from all good comp.sources.unix archives. indir is a small SUID root program, and when you want a SUID shell script you say stuff like this: #!/bin/indir -u #?/bin/sh /absolute/path/to/this/script the real code goes here The -u option tells indir that the script should be SUID, and there are also -g (SGID), -b (both SUID and SGID) and -n (neither SUID nor SGID) options. Indir checks that the permissions are set properly and securely invokes the interpreter in the #? line. Indir is also useful for getting around some other limitations of the kernel #! mechanism: indir is happy with the name of a non-binary script in a #? line; indir can do ~user expansion in #? lines; indir can handle #? lines with many arguments. --apb Alan Barrett, Dept. of Electronic Eng., Univ. of Natal, Durban, South Africa RFC822: barrett@ee.und.ac.za