Mailinglist Archive: opensuse (783 mails)

< Previous Next >
Re: [opensuse] Run command as another user
On 2017-10-03 02:55, Florian Gleixner wrote:
On 02.10.2017 22:48, Carlos E. R. wrote:
On 2017-10-02 17:29, Florian Gleixner wrote:

The "s" bit in chmod does not mean "suid root", it only means "suid". So
bob can do this:

As user? Doesn't he need be root to do the changes?


No. Just try. The "s" bit is often misunderstood as "suid root", but it
only changes to the owner of the file, not (only) root. So why should a
user not be able to set it for his own files? Try!


I know it is not suid root.


cer@Telcontar:~> l /usr/bin/id
-rwxr-xr-x 1 root root 39872 Oct 7 2016 /usr/bin/id*
cer@Telcontar:~> cp /usr/bin/id /home/cer/id
cer@Telcontar:~> chmod u+s /home/cer/id
cer@Telcontar:~> l id
-rwsr-xr-x 1 cer users 39872 Oct 3 13:33 id*
cer@Telcontar:~> ./id
uid=1000(cer) gid=100(users) groups=100(users),0(root),10(wheel),...
cer@Telcontar:~>

cer@Telcontar:~> su - pepe
Password:
pepe@Telcontar:~> /home/cer/id
uid=1009(pepe) gid=100(users) euid=1000(cer)
groups=100(users),17(audio),33(video)
pepe@Telcontar:~>

cer@Telcontar:~> chmod 4744 /home/cer/id
cer@Telcontar:~> l id
-rwsr--r-- 1 cer users 39872 Oct 3 13:33 id*
cer@Telcontar:~> setfacl -m user:pepe:rx /home/cer/id
cer@Telcontar:~> getfacl /home/cer/id
getfacl: Removing leading '/' from absolute path names
# file: home/cer/id
# owner: cer
# group: users
# flags: s--
user::rwx
user:pepe:r-x
group::r--
mask::r-x
other::r--

cer@Telcontar:~>


Notice that /I/ can not change the group. You said:

«So, how do you manage access to this suid binary? One way can be group
permissions: alice and bob probably share a unix group, and no one else
is member of this group.»

AFAIK only root can do that (create that group and who belongs to it),
it is not the default in openSUSE.

--
Cheers / Saludos,

Carlos E. R.
(from 42.2 x86_64 "Malachite" at Telcontar)

< Previous Next >
List Navigation
Follow Ups