Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'The SUID Bit' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
The SUID Bit
Authored by: jyncroft on Aug 09, '03 03:23:07AM

Alternatively, you could set the owner of the shell script to root and set the uid (SUID) bit. Then you could run the script w/o having to type sudo (the SUID bit causes the script to run with the rights of the owner).

A note of caution here: setting the uid bit on a script could compromise your system. Be sure you know what the script does (everything it does) before doing so. Think twice before setting the SUID bit for scripts (owned by root) that take arguments at the command line. Since you never know what parameters a malicious user may pass to your script. Since the script would run as root it could do great damage if misused.

So, here's what you'd do:

% sudo chown root update_codes.sh
% sudo chmod 4755 update_codes.sh

or
% sudo chmod u+s update_codes.sh

Now when you want to run the script, just type the name of the script (if it's in your path) or ./update_codes.sh when you're in the same directory.

Jennifer



[ Reply to This | # ]
The SUID Bit
Authored by: GaelicWizard on Aug 09, '03 05:26:19AM

I'm not sure, but I don't believe the SUID bit works on shell scripts...

---
Pell



[ Reply to This | # ]
The SUID Bit
Authored by: jyncroft on Aug 09, '03 11:29:18AM

It does... try it. I have a few scripts set up this way, works great

Jennifer



[ Reply to This | # ]
The SUID Bit
Authored by: Crawdad on Dec 11, '03 03:48:49PM
Think twice before setting the SUID bit for scripts (owned by root) that take arguments at the command line. Since you never know what parameters a malicious user may pass to your script. Since the script would run as root it could do great damage if misused.
Not enough. The invoker could set an environment variable which causes the script to be parsed differently by the shell. Take $IFS for example, normally containing SP TAB NEWLINE. Add a well-chosen letter to that and the script does something the author never dreamed of. Setuid shell scripts are Bad Juju. If you think you must have one, write a setuid C wrapper that cleans the environment, then does setreuid() and runs the script.

[ Reply to This | # ]