suid: Generic setuid/setgid wrapper for scripts.

You have a shell script that you want to run as setuid/setgid, and after carefully studying the caveats, you still want to do it. Here is a wrapper that will help you do it (hopefully securely).

To use the wrapper, download and compile suid.c as follows:
$ make suid
(Most make tools will just use the implicit rule to compile it, which is good enough)

Then install it to a suitable location as a setuid root binary:
$ sudo install -m a+rx,u+ws -s ./suid /usr/local/bin/suid
Now you can write a shell script like this:
$ cat <<END > ./test.sh
#!/usr/local/bin/suid /bin/bash -o privileged --
set -eu
echo uid=\$(id -run) euid=\$(id -un)
echo gid=\$(id -rgn) egid=\$(id -gn)
END
$ sudo chown nobody:nogroup ./test.sh
$ sudo chmod a+rx,ug+s ./test.sh
On some systems, you might need to replace nogroup with nobody. Run ./test.sh, and you should see:
uid={your username} euid=nobody
gid={your groupname} egid=nogroup
Tested on Linux and Mac OS X. Comments and suggestions are welcome!
Post a Comment