SUID works for shell scripts??

Shell Programming and Scripting
1

SUID works for shell scripts (bash)??

I'm user user1 need to execute a shell script (script.sh) which is owned by user2.

-rwsrwxrwx 1 user2 aduser 3518 Aug 21 05:33 script.sh

Only user2 has write privileges to write/copy a file in directory /dir1/subdir. Hence SUID bit permissions are set to that script.sh. But still not able to run the script from user1 account. It says permissions denied to /dir1/subdir.

But the same script (script.sh) runs successfully from user2 account and able to copy/write a file in /dir1/subdir.

I don't have any clue.. Please help me..

2

SUID for shell scripts will not work on most modern unix/linux systems.
This is due security reasons.

What you can do is to make a C program calling shell script and put a SUID on that compiled binary.

Can you perhaps use standard (or ACL) unix permissions to achieve the result you want to make ?

1 Like
3

You may find that the filesystem containing your script prevents SUID being recognised.

You don't tell us your actual OS, but can you show us the output from:-

df  /path/to/script
grep  file-system  /etc/?fstab  /etc/filesystems

The file-system will be the right-most column from the df command. I've asked it to search in various places (some of which won't exist) to try to cover all operating systems.

Robin

4

As has been said before, it is always a good idea to tell us what operating system you're using (in addition to the shell you're using) when you ask a question here. We can give you much more responsive suggestions if we know the environment you're using...

Even on systems that allow set-UID and/or set-GID scripts, most of them won't allow it when users other than the file's owner (especially for set-UID scripts) and/or groups other than the file's group (especially for set-GID scripts) can write to the file containing the script.

If you can get user2 to change the mode of script.sh from mode 4777 to mode 4755 , you might get it to work on some systems.

5

sudo is another approach. It allows users to run code as other users. Your sysadmin has to set this up.

See (linux example): https://www.linux.com/learn/tutorials/306766:linux-101-introduction-to-sudo

sudo is available for a lot of UNIX platforms

6

Except you have to be really careful when you do that. A simple

int main()
{
    return ( system( "/path/to/some/command" ) );
}

is NOT secure.

7

Thank you all for your comments..
I'm using Unix (solaris 5.10)

I tried the following c program:

 #include <stdio.h>
#include <stdlib.h>
 #define SHELLSCRIPT "\
/home/user1/script_test/test_script_v1 \n\
"
 int main()
{
    puts(SHELLSCRIPT);
    system(SHELLSCRIPT);
    return 0;
}

Note: /home/user1/script_test/test_script_v1 --> script to copy a file in /dir1/subdir where user1 (me) don't have access to write/copy a file

The program is compiled and I had set the SUID permissions. After setting SUID for that executable I tried to execute it from my home dir, It executed successfully and copied the file in the directory /dir1/subdir.
But I need to pass 5 input parameters to shell script, The scenario just tested is just executing the shell script from c program.. But I need to pass input parameters to shell script. Can anyone please tell me how to change the above c program to pass inputs to shell script.
Thanks in advance.

8

Change:

/home/user1/script_test/test_script_v1 \n\

to:

/home/user1/script_test/test_script_v1 arg1 arg2 arg3 arg4 arg5\n\

or if you need quoted strings:

/home/user1/script_test/test_script_v1 \"arg 1\" \"arg 2\" \"arg 3\" \"arg 4\" \"arg 5\"\n\
9

That would be for constant parameters. You might want to copy the program's parameters to the script parameters using a for loop up to argc, and strcat the respective argv array elements to follow the script name.