set the effective UID in bash script

Hello, how can I actually tell the script to run as root if I previousluy chmod this script 4755 premission and added the s instead of x. I've tested it and it is still running as normal user, how can I ask it to evaluate to root as passwd commad does. Is it possible in bash or sh script?
 
I hope you have no other users running on your system because 'back in the day' this was a major exploit vector and consequently is ignored by most OS: Solaris, *BSD, systemd/linux and others. That's why you can't get it to work.

You will have to use sudo or similar, or write a wrapper program that's setuid that execve(2)'s the script but that's almost as big a security risk.
OR
You could think around the way you're currently proposing. There must be an alternative way to replace your sledge-hammer approach?
 
You can't SUID scripts, while you can certainly apply the SUID bit to it, it will just be ignored. It's a rather large security risk.

how can I ask it to evaluate to root as passwd commad does.
There are probably a gazillion different ways to check if the user has root access or not. You could check $EUID or the output from id -u. If it's not 0 then exit with a warning it needs to be run as root. I've also seen scripts just automatically run themselves with sudo(8); sudo $0.
 
So it's impossible with bash script,But maybe I could compile something that will become root, something like it is in passwd exec. This is somehow happaning in passwd prog, but how can I look at exact pice of code. How to find out?
 
You're making it way more difficult than it has to be. Just configure sudo(8) so the user is allowed to execute that script and be done. Check in your script if it's running as root and exit with a warning if it's not.

This is somehow happaning in passwd prog
No, it's just an executable that has the setuid bit set. The setuid bit works for executables just not for scripts.
 
Like I said, the sledgehammer approach is just not going to work.
The passwd program is just that, a program. It can be setuid.
As I said above, if you really are stuck on running a shell script in setuid mode, you will have to write a program to do so and set that program to setuid root (just like passwd is set).
I would advise not to.
I would advise, as I said, to use sudo (or similar).
 
As others have indicated above, setting the setuid bit on a script won't do as you want.

This is because it constitutes a large security flaw -- users can break out of the script and execute arbitrary programs with the setuid privilege still active.

Using sudo(8) or doas(1) to confer privilege on the script has exactly the same security problem. You are just circumventing the protection built into the setuid mechanism.

The best solution is to rethink your problem. What is it that you actually need to do that requires elevated privilege? If you can define that precisely, then you may be able to use individual sudo(8) commands within a non-privileged script (to execute individual binary executables) to achieve what you want.
 
As others have indicated above, setting the setuid bit on a script won't do as you want.

This is because it constitutes a large security flaw -- users can break out of the script and execute arbitrary programs with the setuid privilege still active.

Using sudo(8) or doas(1) to confer privilege on the script has exactly the same security problem. You are just circumventing the protection built into the setuid mechanism.

The best solution is to rethink your problem. What is it that you actually need to do that requires elevated privilege? If you can define that precisely, then you may be able to use individual sudo(8) commands within a non-privileged script (to execute individual binary executables) to achieve what you want.
I would like to run binary from normal user on which suid was set, that will apear as "running by root" in processes lister like htop or top. I belive that it is somehow possible. I just want to know mechanism wich is doing that.
 
Yes: a program. No: a shell.
Setting the user using setuid does do that for a program, but not a shell script.
I don't use sudo but others might chime in and say if running commands/scripts as root shows it in the process as root. It should.
Sudo basically does as I described, running commands as root using some mechanism like execve(2)
 
Yes: a program. No: a shell.
Setting the user using setuid does do that for a program, but not a shell script.
I don't use sudo but others might chime in and say if running commands/scripts as root shows it in the process as root. It should.
Sudo basically does as I described, running commands as root using some mechanism like execve(2)
Found a paper about it. Hope to understand something. Setuid Demystified∗
 
Back
Top