bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't get the set-user-id bit to work


From: Sebastian Tennant
Subject: Re: Can't get the set-user-id bit to work
Date: Wed, 28 Dec 2005 00:45:42 +0000
User-agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.4 (gnu/linux)

address@hidden (Paul Jarc) wrote:

> Sebastian Tennant <address@hidden> wrote:
>> I have a 3-line script; foo:
>
> The setuid bit works only for binaries, not scripts.  This is a
> limitation of the kernel, necessary for security.

Ah.  I read the chmod manpage and some stuff in the find Info manual
on permissions, and this fact is not made immediately apparent.
Perhaps it should be. Or perhaps I'm just not seeing :-/

>> A cron.daily script handles mandb.  I elected to install it with the
>> set-user-id bit set, as you can see:
>
> Is it meant to be installed that way?  If not, you probably shouldn't
> do that.  It might break something, or introduce a security risk.

Debian's debconf mechanism currently presents you with the option:

   "The man and mandb program can be installed with the set-user-id
    bit set, so that they will run with the permissions of the 'man'
    user. This allows ordinary users to benefit from the caching of
    preformatted manual pages ('cat pages'), which may aid performance
    on slower machines.

    Cached man pages only work if you are using an 80-column terminal,
    to avoid one user causing cat pages to be saved at widths that
    would be inconvenient for other users. If you use a wide terminal,
    you can force man pages to be formatted to 80 columns anyway by
    setting MANWIDTH=80.

    Enabling this feature may be a security risk, so it is disabled by
    default. If in doubt, you should leave it disabled.

    Should man and mandb be installed 'setuid man'?"

I set it this way in an attempt to overcome the problem I was having.
Now that I know what the problem is I'll revert to non SUID man.

> With those permissions, only the root user and root group can create
> files in /tmp.  To allow all users to create files there, make it
> world-writable and sticky:
> # chmod 1777 /tmp
> # ls -ld /tmp
> drwxrwxrwt  13 root root 4096 Dec 27 16:50 /tmp

OK, but mandb _is_ a member of the root group, so shouldn't it be able
to write files in /tmp with the permissions as they stand?

  -rwsr-xr-x    1 man  root 96808 Sep 21 13:23 mandb

  drwxrwxr-x   13 root root 4096  Dec 27 16:50 /tmp

sdt





reply via email to

[Prev in Thread] Current Thread [Next in Thread]