[Kc] Shell script to execute system command as another user
Frank Wiles
frank at wiles.org
Mon May 3 12:54:04 CDT 2004
On Mon, 03 May 2004 12:50:19 -0500
Brad <brad at bradandkim.net> wrote:
> On Mon, 2004-05-03 at 11:22, John Reinke wrote:
> > I'd probably accomplish this through file permissions. Make the
> > script owned by 'cyrus' and also use the set-ID option (see the
> > chmod manpage). When it executes, it will execute as the file owner,
> > no matter who runs it.
> >
> > Make sure that the permissions allow the user 'nobody' to access the
> > script, but no unauthorized users (you never can be too safe when
> > executing shell commands based on user input). You may want to use
> > group permissions to accomplish that.
> >
> > John
>
> This seems to work great. I have always heard advice on using caution
> when using suid. I had never tried it until now. I guess as long as
> it is not a big security risk, this is easy and accomplishes just what
> I need.
It's more of a security risk than the sudo method. With sudo only
the user(s) you specify can run the program with the privileges of
another. With suid anyone who can run the program ( which is
typically set 755 ) can run it with the other privileges.
Another solution that can be beneficial depending on the setup is to
make the data that you need read/write access to as user cyrus be
owned by a group that both cyrus and nobody are a member of and make
the data group writable.
---------------------------------
Frank Wiles <frank at wiles.org>
http://frank.wiles.org
---------------------------------
More information about the kc
mailing list