如何实现SUID？

balefired

环境：AIX5.3

想实现如下功能：
用户A和用户B
用户A目录下有一个shell脚本，该脚本执行时需要读取改目录下的一个文本文件（存有数据库密码）。

想让用户B可执行用户A下的该shell脚本，但不能查看文本文件，以防数据库密码被盗取。

曾找了好多资料，都无法实现，一旦我将文本文件的R权限取消，该shell就无法执行。

按照以下文档的做法也是不行，有没有用过的朋友帮忙解决以下！

There has always been a void in every newbies mind when it comes to sticky bits. The books say that the SUID allows an unprivileged user to run executables and scripts with the credentials of the owner of the file. But we all try to implement it and fail as newbies. This HOWTO is dedicated to newbies of sticky bit so that they don't have to waste time in implementing it. The answer is right here.
I am taking an example of a huge organization with 1 Sysadmin who has under him/her a few Assistant Admins. In such cases, the sysadmin cannot be creating users all the time. So, the Assistant Admins do the user creation. But, to create users, the root password needs to be given to them, which is a big headache for the main Sysadmin. So, what does the sysadmin do? He/She will need to do the following :-
1. Login as root.
2. Create a shell script that will create the users specified and set a default password for each of these users
3. Copy this script to the home directory of these assistant admins.
4. Set SUID Sticky bit to the script copied in each of the assistant admins' directories
5. Copy the sysadmin commands that will be used by your script to /bin (because most of the sysadmin commands are in the /usr/sbin directory and unprivileged users' PATH does not point to /usr/sbin)
6. Set SUID to each and every command that you copy into the bin as well (my script uses the useradd, chown and chpasswd commands)
My example shell script that creates users and sets default password for each user is as follows :-
--------------------------------------------------------------------------------------------------------------------------
echo -n "enter the starting login id : "
read beg
echo -n "enter the ending login id : "
read final
fend=`date +"%d%m%y"`
i=$beg
rm -f "users$fend"
touch "users$fend"
while [ $i -le $final ];
do
if [ $i -lt 10 ]; then
useradd "j2ee00$i"
chown -R "j2ee00$i:j2ee00$i" "/home/j2ee00$i"
echo "j2ee00$i:elmaqedu" >> "users$fend"
fi
if [ $i -ge 10 ] && [ $i -lt 100 ]; then
useradd "j2ee0$i"
chown -R "j2ee0$i:j2ee0$i" "/home/j2ee0$i"
echo "j2ee0$i:elmaqedu" >> "users$fend"
fi
if [ $i -ge 100 ] && [ $i -lt 1000 ]; then
useradd "j2ee$i"
chown -R "j2ee$i:j2ee$i" "/home/j2ee$i"
echo "j2ee$i:elmaqedu" >> "users$fend"
fi
i=$[ $i + 1 ]
done
chpasswd < "users$fend"
--------------------------------------------------------------------------------------------------------------------------
Save this script as addusers.sh
copy this script to the directories of each assistant admin. once you have copied the script, set SUID to this file using the following command :-
chmod 4755 addusers.sh
(or)
chmod u+s addusers.sh
copy the useradd and chpasswd scripts to /bin and then, issue the following commands to set the SUID to these files :-
chmod 4755 /bin/useradd
chmod 4755 /bin/chpasswd
chmod 4755 /bin/chown
THAT'S IT. IT'S ALL DONE. Now, login as any of the assistant admins and execute the addusers.sh script. The unprivileged users will be added to the /etc/passwd file
EXPLANATION
---------------------
When an unprivileged user logs into Linux, his uid and gid are embedded into his shell. From this point on, any command or script that you run forks a child shell process. Remember, every process runs with the uid and gid of the currently logged on user and hence, unprivileged users cannot write to files like /etc/passwd. Hence, SUID is actually a way in which the sysadmin can create scripts to be run by unprivileged users but still need some root like access to some system files.
once the SUID sticky bit is set on an executable created by root, the following happens :-
1. unprivileged user with uid 501 and gid 501 logs on.
2. executes a script which has SUID set.
3. Script creates a child shell process and sets it's uid and gid to 0 (the root)
4. Performs all that it needs to do and then exits
If the same unprivileged user tries to run a script without SUID set, the process will run with uid 501 and gid 501 and hence, will not have permissions to perform desired actions on system centric files, even though the sysadmin would want it to.

Hope this HOWTO helps people out there. In case you have any suggestions or feedback, please mail me at vijaykrishnan@elmaqedu.com

Bookmark/Search this post with:

balefired

AIX的文档，难道真的没有办法了吗？


S 位和访问控制表
可以使用 setuid 和 setgid 程序，并将 S 位应用于 ACL。

使用 setuid 和 setgid 程序
在多数情况下许可权位机制允许对资源的有效访问控制。但对于更精确的访问控制，操作系统提供了 setuid 和 setgid 程序。

AIX&reg; 仅根据 uid 和 gid 定义身份。不使用 uid 和 gid 定义标识的 ACL 类型将映射到 AIX 身份模块。例如，NFS4 ACL 类型将用户标识定义为 user@domain 格式的字符串，且此字符串映射到了数字 UID 和 GID。

大多数程序使用其调用者的用户和组访问权运行。程序所有者通过使程序成为 setuid 或 setgid 程序（即在许可权字段中设置了 setuid 或 setgid 位的程序），可以关联调用它们的用户的访问权。当进程运行程序时，该进程将获取程序所有者的访问权。setuid 程序使用其所有者的访问权运行，而 setgid 程序则拥有其组的访问权，并且两个位都可以根据许可权机制进行设置。

虽然进程分配有额外的访问权，这些权限都由具有这些权限的程序控制。因此，setuid 和 setgid 程序允许间接授予访问权的用户编程的访问控制。程序作为可信子系统，保护用户的访问权。

虽然可以很有效地使用这些程序，如果不小心设计将有安全性风险。特别地，程序在它仍有其所有者的访问权时决不返回控制给用户，因为这样将允许用户无限制地使用所有者的权限。

注： 出于安全性原因，操作系统不支持 shell 脚本内的 setuid 或 setgid 程序调用。