Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.unix.programmer > #8190

Re: fork with user privilegs/rights?

From Kaz Kylheku <330-706-9395@kylheku.com>
Newsgroups comp.unix.programmer
Subject Re: fork with user privilegs/rights?
Date 2016-03-18 14:45 +0000
Organization Aioe.org NNTP Server
Message-ID <20160318073327.46@kylheku.com> (permalink)
References <ncgo81$pau$1@news.albasani.net> <chine.bleu-A10B72.07284318032016@88-209-239-213.giganet.hu>

Show all headers | View raw

On 2016-03-18, Siri Cruise <chine.bleu@yahoo.com> wrote:
> In article <ncgo81$pau$1@news.albasani.net>,
>  Heinz-Mario Frühbeis <Div@Earlybite.individcore.de> wrote:
>
>> Hi,
>> 
>> AFAIK has a forked process the same user privilegs/rights from which is 
>> forked.
>> But is it possible to fork e.g. with/for sudo-rights, or if, again with 
>> normal rights?
>
> exec a binary executable with setuid and/or setgid. That will set the uid and/or 
> gid, even to root. The trick is it uses the file owner and only root can change 
> the owner (with chown). So you can create a binary that will execute with your 
> uid no matter what user runs it, but to create a setuid root you need to be root.
>
> As far as I know, setuid is ignored for scripts on all unices, but

We can't have some high level, safe language running around as root!

Root prives can't be trusted to anything but a block of machine language
written in assembler or C.

I recently fixed this issues for users of the TXR language. If you
install the txr executable as setuid, then it will honor setuid bits on
scripts. That is to say, if it notices it is setuid, it drops privs
early in its execution, unless running from a script with a setuid bit;
in that case it implements the semantics. (Not just root; if running as
effective root, and the script is "setuid bob", it will drop effective
user id to bob.)

> when you want 
> to pretend you are running on Windows, you can log in as root and compile a 
> short program that concatenates its argv and then execs /bin/sh -c string. 
> Compile and chmod in setuid. And leave it in a bin where anyone on the machine 
> can run it.

You already have that program: it's called sudo. You just have to
configure sudo permissively: let any user run any command.
Then it's equivalent to the above.

OTOH, if you want to run a script with privilege and *not* pretend that
you're running on windows, and the interpreter can't be trusted to be
setuid (and lacks the special features for setuid scripting) then you
can compile a short setuid program which doesn't simply allow just any
arguments to be exec-ed. You construct the program such that it runs
just that particular script, by absolute path name. (chroot can change
the meaning of an absolute path name, but chroot requires privs).

Back to comp.unix.programmer | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

fork with user privilegs/rights? Heinz-Mario Frühbeis <Div@Earlybite.individcore.de> - 2016-03-18 12:19 +0100
  Re: fork with user privilegs/rights? Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2016-03-18 09:55 -0400
  Re: fork with user privilegs/rights? Siri Cruise <chine.bleu@yahoo.com> - 2016-03-18 07:28 -0700
    Re: fork with user privilegs/rights? Kaz Kylheku <330-706-9395@kylheku.com> - 2016-03-18 14:45 +0000
    Re: fork with user privilegs/rights? scott@slp53.sl.home (Scott Lurndal) - 2016-03-18 14:45 +0000
  Re: fork with user privilegs/rights? Kaz Kylheku <330-706-9395@kylheku.com> - 2016-03-18 14:29 +0000
    Re: fork with user privilegs/rights? spud@potato.field - 2016-03-18 14:41 +0000
      Re: fork with user privilegs/rights? Kaz Kylheku <330-706-9395@kylheku.com> - 2016-03-18 15:10 +0000
        Re: fork with user privilegs/rights? spud@potato.field - 2016-03-18 15:17 +0000
          Re: fork with user privilegs/rights? Kaz Kylheku <330-706-9395@kylheku.com> - 2016-03-18 15:35 +0000
            Re: fork with user privilegs/rights? spud@potato.field - 2016-03-18 15:45 +0000
              Re: fork with user privilegs/rights? Kaz Kylheku <330-706-9395@kylheku.com> - 2016-03-18 19:15 +0000
                Re: fork with user privilegs/rights? Geoff Clare <geoff@clare.See-My-Signature.invalid> - 2016-03-21 14:23 +0000
      Re: fork with user privilegs/rights? Joe Pfeiffer <pfeiffer@cs.nmsu.edu> - 2016-03-18 09:19 -0600
    Re: fork with user privilegs/rights? Joe Pfeiffer <pfeiffer@cs.nmsu.edu> - 2016-03-18 09:15 -0600
  Re: fork with user privilegs/rights? Thomas Jahns <jahns@idontlikespam.dkrz.de> - 2016-03-18 17:29 +0100
    Re: fork with user privilegs/rights? Rainer Weikusat <rweikusat@talktalk.net> - 2016-03-18 21:00 +0000
      Re: fork with user privilegs/rights? Thomas Jahns <jahns@idontlikespam.dkrz.de> - 2016-03-21 11:23 +0100
        Re: fork with user privilegs/rights? Rainer Weikusat <rweikusat@talktalk.net> - 2016-03-22 16:52 +0000
  Re: fork with user privilegs/rights? gordonb.9720g@burditt.org (Gordon Burditt) - 2016-03-19 00:04 -0500

csiph-web