Re: Allowing users to execute shell scripts without seeing password

  • From: Michael Haddon <m.haddon@xxxxxxxxxxx>
  • Date: Sun, 19 Feb 2006 07:00:11 -0600

There is nothing Magic about perl that would solve the security issues that come up when using a 'setuid' bit on the executible. The setuid capability is a Unix capability and not one specific to the shell. A setuid script has it's risks if it is written in perl, ksh, bash, awk, tck/tkl, or whatever. It just needs to handle any security issues, if they exist, in the code.

Most scripts really don't need the setuid bit, those that do, can use the 'trap' in the shell to handle any post signal processing. One example of this can be found in the /etc/profile script that is executed by everyone that logs into a Unix system. Part of the login process executes this script to set up a system wide default environment.

The beginning of the script uses the trap command to set up signals that need to be handled and the end of the script releases the trap.

My point is that sometimes the setuid bit can help accomplish a task that would otherwise take some considerable time to design and code. You just have to be aware of it's use and test it thoroughly.

Hope this helps
Mike

Mladen Gogala wrote: 
On 02/18/2006 11:38:01 PM, Joseph Amalraj wrote:
  
After doing some reading, I agree, that setting suid for shell scripts is poses 
security risks. Probably the solution is not to use Shell, but some else like Perl.
    
So, if switching UID is dangerous with a shell script, it will somehow be 
rendered harmless if you use Perl, which allows all kinds of programming 
tricks and hacks?
-- //www.freelists.org/webpage/oracle-l

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 02-2006