[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can't get the set-user-id bit to work
From: |
Bob Proulx |
Subject: |
Re: Can't get the set-user-id bit to work |
Date: |
Sat, 31 Dec 2005 19:24:32 -0700 |
User-agent: |
Mutt/1.5.9i |
I see that you have resolved your problem with bad permissions on
/tmp. But I wanted to follow another line of discussion.
Sebastian Tennant wrote:
> [...test cases of suid-scripts...]
> A cron.daily script handles mandb. I elected to install it with the
> set-user-id bit set, as you can see:
>
> /usr/lib/man-db:
> used 220 available 573264
> drwxr-xr-x 2 root root 4096 Oct 16 15:13 .
> drwxr-xr-x 116 root root 24576 Dec 14 11:49 ..
> -rwsr-xr-x 1 man root 86932 Sep 21 13:23 man
> -rwsr-xr-x 1 man root 96808 Sep 21 13:23 mandb
Actually if you look at mandb it is not a script but a binary. I
think this may be obvious to you now but reading the above I wanted to
clarify it for the mail archive and the readers that follow. Setting
suid on binaries is okay. Setting suid on scripts is not. On my
system:
file /usr/lib/man-db/mandb
/usr/lib/man-db/mandb: ELF 64-bit LSB executable, AMD x86-64, version 1
(SYSV), for GNU/Linux 2.6.0, dynamically linked (uses shared libs), stripped
It is okay to suid a binary and the Debian configuration is designed
to work with that setting. If it were a script then that would be a
bug to be reported and fixed.
> Every day I receive the same message in my inbox:
>
> /etc/cron.daily/man-db script:
> mandb: can't create a temporary filename: Permission denied
That has become a well known symptom for me in my lab that someone
created a separate disk partition to be used for /tmp as root with a
umask of 02 or 022 and then forgot to change the permission when they
released the machine to production. Most system processes run as root
and can still create temporary files in /tmp. Unless a user reports
that they cannot create files in /tmp the first indication is the mail
from the cron run of the mandb program.
Bob