chmod ug+s cmd

[Nathan Phan]

Hi,
    root created a script to do some house keeping job, he then want to allow operator to execute the script. On the other hand the root don't want to let the operator to have too much right in the system. According to  "man chmod", this can be accompanished by "chmod ug+s script", but it does not work for me. The effective id is not the owner of the script as what it suppose to be. Any body can share some light ?

Thank in advances

Regards
Nathan

oslevel = 4.2.1
F50
 
The following is the direct quote from "man chmod"

4.      To use Set-ID Modes:

chmod ug+s cmd

When the cmd command is executed, the effective user and group IDs
are set to those that own the cmd file. Only the effective IDs associated
with the child process that runs the cmd command are changed. The
effective IDs of the shell session remain unchanged.

This feature allows you to permit access to restricted files. Suppose
that the cmd program has the Set-User-ID Mode enabled and is owned
by a user called dbms. The user dbms is not actually a person, but
might be associated with a database management system. The user betty
does not have permission to access any of dbms's data files. However,
she does have permission to execute the cmd command. When she does
so, her effective user ID is temporarily changed to dbms, so that
the cmd program can access the data files owned by the user dbms.

This way the user betty can use the cmd command to access the data
files, but she cannot accidentally damage them with the standard shell
commands.

 

[Dominik Vogt]

You'll have to write a C program that executes your script and change
the permissions for it.

main
{
setuid(0);
return system("my_shell_script");
}

BTW, you might want to use the 'roles' feature of AIX 4.2.1 which
allows to give specific users the right to execute sets of commands.
You still have to write a C program, but there is a kernel call
which checks permissions:

#include <usersec.h>
main ()
{
if (MatchAnyAuths("MyNewRole") == 0)
{
printf("no permission");
exit(1);
}
else
{
setuid(0);
return system("my_admin_command");
}
}

--
-----------------------------------------------------------------
Dominik Vogt phone: 07031/16-6852
IBM Deutschland Entwicklung GmbH fax: 902-6440
Hanns-Klemm-Str. 45, 71034 Boeblingen email: ava...@vnet.ibm.com

[simon...@spamfreewaikato.ac.nz]

Nathan Phan <np...@singnet.com.sg> wrote:
> Hi,
> root created a script to do some house keeping job, he then want to
> allow operator to execute the script. On the other hand the root don't
> want to let the operator to have too much right in the system. According
> to "man chmod", this can be accompanished by "chmod ug+s script", but
> it does not work for me. The effective id is not the owner of the script
> as what it suppose to be. Any body can share some light ?

Putting s on a script mod isn't recommended.

Look at the program called "sudo".

--

Simon Travaglia, Email without auto spam rejection at s...@waikato.ac.nz
http://mrjolly.cc.waikato.ac.nz Ph: +64 7 838-4709 Fax: +64 7 838-4066
University of Waikato, Private Bag 3105, Hamilton, New Zealand..