Re: [SLUG] Please explain/advise

• Next message: Eben King: "Re: [SLUG] Please explain/advise"
• Previous message: Bob Stia: "[SLUG] Please explain/advise"
• In reply to: Bob Stia: "[SLUG] Please explain/advise"
• Next in thread: Eben King: "Re: [SLUG] Please explain/advise"
• Reply: Eben King: "Re: [SLUG] Please explain/advise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bob Stia wrote:
> Hello Sluggers,
>
> Please explain how suid works. When set, is the program actually invoked
> by the user or is it really still root.
>
> As per a suggestion here awhile ago, I want to run ntpdate automatically
> when my dial up connection is established. Now,,,, ntpdate is root
> owned and cannot be called by me in the ip-up script. If i can
> understand how to set suid on ntpdate that would make it work and
> adjust my time, right? But, would ntpdate run all the time I was
> connected ?? (stay connected to the server) And under those conditions,
> if it was really being run by root wouldn't that be dangerous?
>
> I know. I am confused and ignorant. I am a long time learning and still
> not very knowledgeable, especially about permissions.
>

If the setuid bit is set on an executable file, then that file always
runs as the 'owner' of the file, not necessarily 'root' (though if the
file is owned by 'root', then it will execute as 'root'). This is
only dangerous if the executable performs dangerous actions. If you
change /bin/rm to be setuid, then any user could erase any file(s) on
the filesystem(s). As long as ntpdate does not perform any dangerous
actions (either deliberately or via a bug), then it should be rather
safe to run setuid. Be especially careful of programs that can
arbitrarily execute other programs, or give the user a shell.

One thing that you can do: change the execute permissions of the
ntpdate program so that only members of a small group can execute it
at all. Example:

    chgrp wheel ntpdate
    chmod 4750 ntpdate

then add yourself and a few trusted users to the wheel group (edit
/etc/group). No one else will be able to execute ntpdate.

--ronan

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

• Next message: Eben King: "Re: [SLUG] Please explain/advise"
• Previous message: Bob Stia: "[SLUG] Please explain/advise"
• In reply to: Bob Stia: "[SLUG] Please explain/advise"
• Next in thread: Eben King: "Re: [SLUG] Please explain/advise"
• Reply: Eben King: "Re: [SLUG] Please explain/advise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:41:34 EDT