[linux] sendmail: alias to program

Matus fantomas Uhlar uhlar na fantomas.sk
Středa Duben 11 19:44:01 CEST 2001


->    > -> ??? To fakt? Kde si to zistil? Ja nepochybujem, len je
->    > -> to pre mna prekvapiva informacia...
-> 
-> viz Linux-FAQ http://www.linuxdoc.org/FAQ/Linux-FAQ/x1955.html#AEN2068
-> 
->    > vacsina shellov ked vykonava setuid skript tak zmeni svoje UID naspat. 
-> 
-> Tímhle tedy chcete říci, že ono id zpět mění samotný příkazový interpret?
-> A zpět z čeho? Z id==0? Tj. už má id==0, tj. běží s identitou
-> superuživatele? To snad ne :-) Kernel u skriptům nebere v potaz suid
-> bit. Když většina, tak který to umožňuje?

no, mal som informacie zo solarisu kde shell vola setreuid() ked euid!=ruid
a to skipne v pripade ked sa spusti s parametrom -p

ako vidim, v linuxe sa bezpecnost tejto veci urobila podla vyssieho FAQ:

    7.7. Setuid Scripts Don't Seem to Work.

    That's right. This feature has been disabled in the Linux kernel on
    purpose, because setuid scripts are almost always a security hole. Sudo
    and SuidPerl can provide more security than setuid scripts or binaries,
    especially if execute permissions are limited to a certain user ID or
    group ID.

    If you want to know why setuid scripts are a security hole, read the FAQ
    for comp.unix.questions.

takze tato ficura bola zakazana uplne...

->    > da sa to obist
->    > #!/bin/sh -p
-> 
-> :-) To nemyslíte vážně, že ne? :-)

myslim. lognite sa na lubovolny solaris server a dajte si man sh:

     -p    If the -p flag is present, the shell will not set  the
           effective  user  and  group  IDs  to the real user and
           group IDs.
 

root@[store /export/home/uhlar] # id
uid=0(root) gid=1(other)
root@[store /export/home/uhlar] # ls -l
total 2
-rwsr-xr-x   1 uhlar    other         36 Apr 11 19:41 script
root@[store /export/home/uhlar] # cat script 
#!/bin/sh -p
id
touch bla
ls -l bla
root@[store /export/home/uhlar] # ./script 
uid=0(root) gid=1(other) euid=1006(uhlar)
-rw-r--r--   1 uhlar    other          0 Apr 11 19:41 bla


takze ako vidite v solarise sa to sprava ako som popisal. V linuxe nie mal
som mylne infos ;) v kazdom pripade do vetra som netaral

-- 
 Matus "fantomas" Uhlar, sysadmin at NEXTRA, Slovakia; IRCNET admin of *.sk
 uhlar na fantomas.sk ; http://www.fantomas.sk/ ; http://www.nextra.sk/
 My mind is like a steel trap - rusty and illegal in 37 states. 



Další informace o konferenci linux