Search Results

Search found 82 results on 4 pages for 'setuid'.

Page 1/4 | 1 2 3 4  | Next Page >

  • checksecurity / setuid changes, is this a bug or did somebody break in?

    - by Fabian Zeindl
    I received a mail by checksecurity from my ubuntu 12.04 server with the following content: --- setuid.today 2012-06-03 06:48:09.892436281 +0200 +++ /var/log/setuid/setuid.new.tmp 2012-06-17 06:47:51.376597730 +0200 @@ -30,2 +30,2 @@ - 131904 4755 2 root root 71280 Wed May 16 07:23:08.0000000000 2012 ./usr/bin/sudo - 131904 4755 2 root root 71280 Wed May 16 07:23:08.0000000000 2012 ./usr/bin/sudoedit + 143967 4755 2 root root 71288 Fri Jun 1 05:53:44.0000000000 2012 ./usr/bin/sudo + 143967 4755 2 root root 71288 Fri Jun 1 05:53:44.0000000000 2012 ./usr/bin/sudoedit @@ -42 +42 @@ - 130507 666 1 root root 0 Sat Jun 2 18:04:57.0752979385 2012 ./var/spool/postfix/dev/urandom + 130507 666 1 root root 0 Mon Jun 11 08:47:16.0919802556 2012 ./var/spool/postfix/dev/urandom First i was worried, then i realized that the change was actually 2 weeks ago, i think there was a sudo-update back then. Since checksecurity runs in /etc/cron.daily i wondered why i only get that email now. I looked into /var/log/setuid/ and found the following files: total 32 -rw-r----- 1 root adm 816 Jun 17 06:47 setuid.changes -rw-r----- 1 root adm 228 Jun 3 06:48 setuid.changes.1.gz -rw-r----- 1 root adm 328 May 27 06:47 setuid.changes.2.gz -rw-r----- 1 root root 1248 May 20 06:47 setuid.changes.3.gz -rw-r----- 1 root adm 4473 Jun 17 06:47 setuid.today -rw-r----- 1 root adm 4473 Jun 3 06:48 setuid.yesterday The obvious thing that confuses me is that the file setuid.yesterday is not from yesterday = Jun/16. Is this a bug?

    Read the article

  • (Ubuntu) setuid bash doesn't work

    - by ???
    Here is the code: (root:) # mkdir /test # cp /bin/bash /test/sbash # chmod a+s /test/sbash (user1:) $ cd /test $ ./sbash $ mkdir trycreate mkdir: cannot create directory `trycreate': Permission denied And bash scripts with setuid bit set not work, either. By the way, my setuid perl script works: test.pl: (with setuid bit set, owner=root) #!/usr/bin/perl mkdir('/test/tryperlcreate') or die 'failed'; execute test.pl by user1 will create the directory owned by root.

    Read the article

  • sudo or acl or setuid/setgid ?

    - by Xavier Maillard
    Hi, for a reason I do not really understand, everyone wants sudo for all and everything. At work we even have as many entries as there are way to read a logfile (head/tail/cat/more, ...). I think, sudo is defeating here. I'd rather use a mix of setgid/setuid directories and add ACL here and there but I really need to know what are the best practices before starting up. Our servers have %admin, %production, %dba, %users -i.e many groups and many users. Each service (mysql, apache, ...) has its own way to install privileges but members of the %production group must be able to consult configuration file or even log files. There is still the solution to add them into the right groups (mysql...) and set the good permission. But I do not want to usermod all users, I do not want to modify standards permissions since it could change after each upgrade. On the other hand, setting acls and/or mixing setuid/setgid on directories is something I could easily do without "defacing" the standard distribution. What do you think about this ? Taking the mysql example, that would look like this: setfacl d:g:production:rx,d:other::---,g:production:rx,other::--- /var/log/mysql /etc/mysql Do you think this is good practise or should I definetely usermod -G mysql and play with standard permissions system ? Thank you

    Read the article

  • sudo or acl or setuid/setgid?

    - by Xavier Maillard
    for a reason I do not really understand, everyone wants sudo for all and everything. At work we even have as many entries as there are way to read a logfile (head/tail/cat/more, ...). I think, sudo is defeating here. I'd rather use a mix of setgid/setuid directories and add ACL here and there but I really need to know what are the best practices before starting up. Our servers have %admin, %production, %dba, %users -i.e many groups and many users. Each service (mysql, apache, ...) has its own way to install privileges but members of the %production group must be able to consult configuration file or even log files. There is still the solution to add them into the right groups (mysql...) and set the good permission. But I do not want to usermod all users, I do not want to modify standards permissions since it could change after each upgrade. On the other hand, setting acls and/or mixing setuid/setgid on directories is something I could easily do without "defacing" the standard distribution. What do you think about this ? Taking the mysql example, that would look like this: setfacl d:g:production:rx,d:other::---,g:production:rx,other::--- /var/log/mysql /etc/mysql Do you think this is good practise or should I definetely usermod -G mysql and play with standard permissions system ? Thank you

    Read the article

  • Get calling user ID in PHP setuid script

    - by Bart van Heukelom
    I have a PHP script on Linux in which the sticky bit is set, so it gets executed as the file owner. How can I get the user id of the calling process, for authorization purposes? Context: I have two applications on a server, and want one to request some info from the other. For this reason the other offers a script with setuid, but I want to make sure it can only be called by the one.

    Read the article

  • Strange strace and setuid behaviour: permission denied under strace, but not running normally.

    - by Autopulated
    This is related to this question. I have a script (fix-permissions.sh) that fixes some file permissions: #! /bin/bash sudo chown -R person:group /path/ sudo chmod -R g+rw /path/ And a small c program to run this, which is setuided: #include "sys/types.h" #include "unistd.h" int main(){ setuid(geteuid()); return system("/path/fix-permissions.sh"); } Directory: -rwsr-xr-x 1 root root 7228 Feb 19 17:33 fix-permissions -rwx--x--x 1 root root 112 Feb 19 13:38 fix-permissions.sh If I do this, everything seems fine, and the permissions do get correctly fixed: james $ sudo su someone-else someone-else $ ./fix-permissions but if I use strace, I get: someone-else $ strace ./fix-permissions /bin/bash: /path/fix-permissions.sh: Permission denied It's interesting to note that I get the same permission denied error with an identical setup (permissions, c program), but a different script, even when not using strace. Is this some kind of heureustic magic behaviour in setuid that I'm uncovering? How should I figure out what's going on? System is Ubuntu 10.04.2 LTS, Linux 2.6.32.26-kvm-i386-20101122 #1 SMP

    Read the article

  • Why is setuid ignored on directories?

    - by Blacklight Shining
    On Linux systems, you can successfully chmod u+s $some_directory, but instead of forcing the ownership of new subdirectories and files to be the owner of the containing directory (and setting subdirectories u+s as well) as you might expect, the system just ignores the setuid bit. Subdirectories and files continue to inherit the UIDs of their creating processes, and subdirectories are not setuid by default. Why is setuid ignored on directories, and how can I get the system to recognize it?

    Read the article

  • Error after sudo-ing "sudo: must be setuid root"

    - by Kaustubh P
    On a colleagues computer, everytime I use a sudo command, I get this error: sudo: must be setuid root I tried various things mentioned on the internet, like changing the permissions to 4755 from a live cd, but even this command from a live-cd sudo chmod 4755 /media/device/usr/bin/sudo gives the same error. EDIT: The colleague told me that he executed this command, god knows why :/ sudo chmod -R 777 / or sudo chmod -R 777 He isnt exactly sure.

    Read the article

  • Error when running binary with root setuid under encrypted home directory

    - by carestad
    I'm using a VPN script for Juniper's Secure Access protocol form here, which executes a binary located under ~/.juniper_networks/network_connect/ncsvc with the following permissions: -rws--s--x 1 root root 1225424 okt. 25 13:54 ncsvc But when I do, I get the following error: ncsvc> Failed to setuid to root. Error 1: Operation not permitted Moving/copying the ~/.juniper_networks folder to e.g. /opt/juniper (with the same owner permissions), I don't get the error. In the forum thread at Ubuntuforums someone pointed out that it's probably because I have encrypted my /home and thus a "problem" with ecryptfs. How can I fix this?

    Read the article

  • Using Solaris pkg to list all setuid or setgid programs

    - by darrenm
    $ pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode We can also add a package name on the end to restrict it to just that single package eg: $ pkg contents -a mode=4??? -a mode=2??? -t file -o pkg.name,path,mode core-os PKG.NAME PATH MODE system/core-os usr/bin/amd64/newtask 4555 system/core-os usr/bin/amd64/uptime 4555 system/core-os usr/bin/at 4755 system/core-os usr/bin/atq 4755 system/core-os usr/bin/atrm 4755 system/core-os usr/bin/crontab 4555 system/core-os usr/bin/mail 2511 system/core-os usr/bin/mailx 2511 system/core-os usr/bin/newgrp 4755 system/core-os usr/bin/pfedit 4755 system/core-os usr/bin/su 4555 system/core-os usr/bin/tip 4511 system/core-os usr/bin/write 2555 system/core-os usr/lib/utmp_update 4555 system/core-os usr/sbin/amd64/prtconf 2555 system/core-os usr/sbin/amd64/swap 2555 system/core-os usr/sbin/amd64/sysdef 2555 system/core-os usr/sbin/amd64/whodo 4555 system/core-os usr/sbin/prtdiag 2755 system/core-os usr/sbin/quota 4555 system/core-os usr/sbin/wall 2555

    Read the article

  • sudo: must be setuid root

    - by Phuong Nguyen
    Recently, due to some messy stuff with master boot record, I have to re-install my Ubuntu. Before doing that, I back up all folder (exclude root, bin, sbin, tmp, media, mnt) to a NTFS partition. After installation of Ubuntu, I copied back all the folder using a nautilus (running by sudo nautilus). After that, I reboot my computer. And boom, now I cannot run sudo any more, my network services cannot run. When I run sudo from a terminal, I ge "must be setuid root" error. In ubuntu, root account is disabled by default, I don't know why all these files is no longer under ownership of my account. How would I recover back?

    Read the article

  • How do you get linux to honor setuid directories?

    - by Takigama
    Some time ago while in a conversation in IRC, one user in a channel I was in suggested someone setuid a directory in order for it to inherit the userid on files to solve a problem someone else was having. At the time I spoke up and said "linux doesn't support setuid directories". After that, the person giving the advice showed me a pastebin (http://codepad.org/4In62f13) of his system honouring the setuid permission set on a directory. Just to explain, when i say "linux doesnt support setuid directories" what I mean is that you can go "chmod u+s directory" and it will set the bit on the directory. However, linux (as i understood it) ignores this bit (on directories). Try as I might, I just cant quite replicate that pastebin. Someone suggested to me once that it might be possible to emulate the behaviour with selinux - and playing around with rules, its possible to force a uid on a file, but not from a setuid directory permission (that I can see). Reading around on the internet has been fairly uninformative - most places claim "no, setuid on directories does not work with linux" with the occasional "it can be done under specific circumstances" (such as this: http://arstechnica.com/etc/linux/2003/linux.ars-12032003.html) I dont remember who the original person was, but the original system was a debian 6 system, and the filesystem it was running was xfs mounted with "default,acl". I've tried replicating that, but no luck so far (tried so far with various versions of debian, ubuntu, fedora and centos) Can anyone clue me in on what or how you get a system to honor setuid on a directory?

    Read the article

  • Running $ORIGIN linked binaries from setuid scripts on linux

    - by drscroogemcduck
    I'm using suidperl to run some programs that require root permissions. however, the runtime linker won't expand library paths which contain $ORIGIN entries so the programs i want to run (jstack from java) won't run. more info here There is one exception to the advice to make heavy use of $ORIGIN. The runtime linker will not expand tokens like $ORIGIN for secure (setuid) applications. This should not be a problem in the vast majority of cases. my program looks something like this: #!/usr/bin/perl $ENV{PATH} = "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/java/jdk1.6.0_12/bin:/root/bin"; $ENV{JAVA_HOME} = "/usr/java/jdk1.6.0_12"; open(FILE, '/var/run/kil.pid'); $pid = <FILE>; close(FILE); chomp($pid); if ($pid =~ /^(\d+)/) { $pid = $1; } else { die 'nopid'; } system( "/usr/java/jdk1.6.0_12/bin/jstack", "$pid"); is there any way to fork off a child process in a way so that the linker will work correctly.

    Read the article

  • Running $ORIGIN linked binaries from setuid scripts on linux

    - by drscroogemcduck
    I'm using suidperl to run some programs that require root permissions. however, the runtime linker won't expand library paths which contain $ORIGIN entries so the programs i want to run (jstack from java) won't run. more info here There is one exception to the advice to make heavy use of $ORIGIN. The runtime linker will not expand tokens like $ORIGIN for secure (setuid) applications. This should not be a problem in the vast majority of cases. my program looks something like this: #!/usr/bin/perl $ENV{PATH} = "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/java/jdk1.6.0_12/bin:/root/bin"; $ENV{JAVA_HOME} = "/usr/java/jdk1.6.0_12"; open(FILE, '/var/run/kil.pid'); $pid = <FILE>; close(FILE); chomp($pid); if ($pid =~ /^(\d+)/) { $pid = $1; } else { die 'nopid'; } system( "/usr/java/jdk1.6.0_12/bin/jstack", "$pid"); is there any way to fork off a child process in a way so that the linker will work correctly.

    Read the article

  • supervisord launches with wrong setuid

    - by friendzis
    I am trying to test a pilot system with nginx connecting to uwsgi served application controlled by supervisord running on ubuntu-server. Application is written in python with Flask in virtualenv, although I'm not sure if that is relevant. To test the system I have created a simple hello world with flask. I want nginx and uwsgi both to run as www-data user. If I launch uwsgi "manually" from root shell I can see uwsgi processes runing as appropriate user (www-data). Although, if I let supervisor launch the application something strange happens - uwsgi processes are runing under my user (friendzis). Consequently, socket file gets created under wrong user and nginx cannot communicate with my applicaion. note: the linux server runs as Hyper-V VM, under Windows Server 2008. Relevant configuration: [uwsgi] socket = /var/www/sockets/cowsay.sock chmod-socket = 666 abstract-socket = false master = true workers = 2 uid = www-data gid = www-data chdir = /var/www/cowsay/cowsay pp = /var/www/cowsay/cowsay pyhome = /var/www/cowsay module = cowsay callable = app supervisor [program:cowsay] command = /var/www/cowsay/bin/uwsgi -s /var/www/sockets/cowsay.sock -w cowsay:app directory = /var/www/cowsay/cowsay user = www-data autostart = true autorestart = true stdout_logfile = /var/www/cowsay/log/supervisor.log redirect_stderr = true stopsignal = QUIT I'm sure I'm missing some minor detail, but I'm unable to notice it. Would appreciate any suggestions.

    Read the article

  • Process limit for user in Linux

    - by BrainCore
    This is the standard question, "How do I set a process limit for a user account in Linux to prevent fork-bombing," with an additional twist. The running program originates as a root-owned Python process, which then setuids/setgids itself as a regular user. As far as I know, at this point, any limits set in /etc/security/limits.conf do not apply; the setuid-ed process may now fork bomb. Any ideas how to prevent this?

    Read the article

  • How to start/stop service with Apache2 on Ubuntu

    - by user142512
    Using Apache, I'd like to be able to start and stop a service on the same server. Essentially, I'm looking for a way to allow Apache (or some script called by Apache) to call sudo service XXXX start. I realize there are severe security implications with this, and I'm looking to minimize the possible effects. There is only a single service that I need to do this for. I've seen some solutions that involve "hacking" the setuid (C/Perl wrapper), others involved editing the /etc/sudoers file. Is there a better way? many thanks, S.

    Read the article

  • Allow user to execute a shell script without seeing its contents?

    - by Autopulated
    I'd like to have an hg hook that sends email using a gmail account. Obviously I don't want anyone to be able read the email-sending script except me or root, since it has a password in, so here's what I've tried: -rwsr-xr-x 1 james james 58 Feb 18 12:05 incoming.email.sh -rwx--x--x 1 james james 262 Feb 18 12:04 send-incoming-email.sh where incoming.email.sh is the file executed as the hook: #! /bin/bash /path/to/send-incoming-email.sh However, when I try to run as another user I get the error: /bin/bash: /path/to/send-incoming-email.sh: Permission denied The send-incoming-email.sh file works fine when I run as myself. Is what I'm trying to do possible, or will setuid not propagate to commands executed from a shell script? System is Ubuntu 10.04.2 LTS.

    Read the article

  • Allowing non-admins to run programs as admins on Windows 7

    - by Josh
    On *nix, admins can use the setuid flag to allow non-admins to run certain programs that would otherwise require admin privileges. Is there any way to do something similar in Windows 7? This question has been asked here before for Windows XP, and the answers were generally unsatisfying. I'm wondering if Windows 7 provides a better way. One idea I can think of would be to use Microsoft's Subsystem for UNIX Applications, but I'd rather not install that on every user's system if I can avoid it. Another idea I can think of (which would work on XP too, but I haven't seen it mentioned anywhere) would be to create a RunAsAdmin application that runs as a service, that takes a whitelist of "safe" apps and can be asked (from a command line, batch file or script) to run any program on the list as LocalSystem or whatever account the service uses. Is this possible? Are there any solutions that aren't as clunky as those? Or, has anyone implemented either of the above techniques successfully?

    Read the article

  • What's the safest way to kick off a root-level process via cgi on an Apache server?

    - by MartyMacGyver
    The problem: I have a script that runs periodically via a cron job as root, but I want to give people a way to kick it off asynchronously too, via a webpage. (The script will be written to ensure it doesn't run overlapping instances or such.) I don't need the users to log in or have an account, they simply click a button and if the script is ready to be run it'll run. The users may select arguments for the script (heavily filtered as inputs) but for simplicity we'll say they just have the button to choose to press. As a simple test, I've created a Python script in cgi-bin. chown-ing it to root:root and then applying "chmod ug+" to it didn't have the desired results: it still thinks it has the effective group of the web server account... from what I can tell this isn't allowed. I read that wrapping it with a compiled cgi program would do the job, so I created a C wrapper that calls my script (its permissions restored to normal) and gave the executable the root permissions and setuid bit. That worked... the script ran as if root ran it. My main question is, is this normal (the need for the binary wrapper to get the job done) and is this the secure way to do this? It's not world-facing but still, I'd like to learn best practices. More broadly, I often wonder why a compiled binary is more "trusted" than a script in practice? I'd think you'd trust a file that was human-readable over a cryptic binaryy. If an attacker can edit a file then you're already in trouble, more so if it's one you can't easily examine. In short, I'd expect it to be the other way 'round on that basis. Your thoughts?

    Read the article

  • how do i claim a low-numbered port as non-root the "right way"

    - by qbxk
    I have a script that I want to run as a daemon listening on a low-numbered port (< 1024) Script is in python, though answers in perl are also acceptable. The script is being daemonized using start-stop-daemon in a startup script, which may complicate the answer What I really (think) don't want is to type ps -few and see this process running with a "root" on it's line. How do I do it? ( from my less-than-fully-educated-about-system-calls perspective, I can see 3 avenues, Run the script as root (no --user/--group/--chuid to start-stop-daemon), and have it de-escalate it's user after it claims the port Setuid root on the script (chmod u+s), and run the script as the running user, (via --user/--group/--chuid to start-stop-daemon, the startup script still has to be called as root), in the script, acquire root privileges, claim the port, and then revert back to normal user something else i'm unaware of )

    Read the article

  • Passwordless SSH using cgi-perl script

    - by AV
    Hello, This is my first shot at trying out cgi-perl scripts. I have SSH keys set up between my (root user) local machine and a remote machine. I'm trying to run a command on the remote box and display the output on a webpage hosted from my local machine. The script runs fine from command line however, it throws SSH key error when called from the webpage because the user running the script is apache and not root. Is there a way to get around this issue?

    Read the article

  • Error while running Jetty Server on port 80 as non root user

    - by user75016
    All, I was trying to setup jetty on port 80 but its giving exception saying permission denied as below. I have setup jetty to work with setuid and configured start.ini as follows: OPTIONS=Server,jsp,jmx,resources,websocket,ext,plus,annotations,jta,jdbc,setuid (below as first configuration file in start.ini) etc/jetty-setuid.xml and jetty-setuid.xml file with username and group name of non root user. 2012-07-03 15:29:02.411:INFO:oejdp.ScanningAppProvider:Deployment monitor /opt/jetty-hightide-8.1.3.v20120416/contexts at interval 1 2012-07-03 15:29:02.454:WARN:oejuc.AbstractLifeCycle:FAILED [email protected]:80: java.net.SocketException: Permission denied java.net.SocketException: Permission denied at sun.nio.ch.Net.bind(Native Method) at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:126) at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:59) at org.eclipse.jetty.server.nio.SelectChannelConnector.open(SelectChannelConnector.java:182) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:311) at org.eclipse.jetty.server.nio.SelectChannelConnector.doStart(SelectChannelConnector.java:260) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59) at org.eclipse.jetty.server.Server.doStart(Server.java:273) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59) at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1215) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1138) 2012-07-03 15:29:02.455:WARN:oejuc.AbstractLifeCycle:FAILED org.eclipse.jetty.server.Server@66da9ea4: java.net.SocketException: Permission denied java.net.SocketException: Permission denied

    Read the article

  • Recommended setting for using Apache mod_mono with a different user

    - by Korrupzion
    Hello, I'm setting up an ASP.net script in my linux machine using mod_mono. The script spawn procceses of a bin that belongs to another user, but the proccess is spawned by www-data because apache runs with that user, and i need to spawn the proccess with the user that owns the file. I tried setuid bit but it doesn't make any effect. I discovered that if I kill mod-mono-server2.exe and I run it with the user that I need, everything works right, but I want to know the proper way to do this, because after a while apache runs mod-mono-server2.exe as www-data again. Mono-Project webpage says: How can I Run mod-mono-server as a different user? Due to apache's design, there is no straightforward way to start processes from inside of a apache child as a specific user. Apache's SuExec wrapper is targeting CGI and is useless for modules. Mod_mono provides the MonoStartXSP option. You can set it to "False" and start mod-mono-server manually as the specific user. Some tinkering with the Unix socket's permissions might be necessary, unless MonoListenPort is used, which turns on TCP between mod_mono and mod-mono-server. Another (very risky) way: use a setuid 'root' wrapper for the mono executable, inspired by the sources of Apache's SuExec. I want to know how to use the setuid wrapper, because I tried adding the setuid to 'mono' bin and changing the owner to the user that I want, but that made mono crash. Or maybe a way to keep running mono-mod-server2.exe separated from apache without being closed (anyone has a script?) My environment: Debian Lenny 2.6.26-2-amd64 Mono 1.9.1 mod_mono from debian repository Dedicated server (root access and stuff) Using apache vhosts -I use mono for only that script Thanks!

    Read the article

1 2 3 4  | Next Page >