I have a binary that I want any user to be able to stop and start (if
you're interested, it's the Apache ActiveMQ broker). I thought I
could just write a start/stop script that logs the PID and set it
SUID. However, I've now learned that shell scripts can't be SUID. So
I'm looking for an alternative.

Any thoughts?

* Bill Woessner wrote in alt.os.linux:

> I have a binary that I want any user to be able to stop and start (if
> you're interested, it's the Apache ActiveMQ broker). I thought I
> could just write a start/stop script that logs the PID and set it
> SUID. However, I've now learned that shell scripts can't be SUID. So
> I'm looking for an alternative.
>
> Any thoughts?
>

sudo ?

--
David

On Fri, 20 Jun 2008 13:05:09 -0700, Bill Woessner wrote:

> I have a binary that I want any user to be able to stop and start (if
> you're interested, it's the Apache ActiveMQ broker). I thought I could
> just write a start/stop script that logs the PID and set it SUID.
> However, I've now learned that shell scripts can't be SUID. So I'm
> looking for an alternative.
>
> Any thoughts?

Interesting article in the latest Linux Pro magazine about Posix
Capabilities - you might try that.

On Fri, 20 Jun 2008, in the Usenet newsgroup alt.os.linux, in article
<9b78ceaa-6f44-49b9-906c-2e36514efd8c@v26g2000prm.googlegroups.com>, Bill
Woessner wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>I have a binary that I want any user to be able to stop and start (if
>you're interested, it's the Apache ActiveMQ broker). I thought I
>could just write a start/stop script that logs the PID and set it
>SUID. However, I've now learned that shell scripts can't be SUID. So
>I'm looking for an alternative.

Shell scripts tend to have exploitable holes - and thus, the decision
to ignore SUID. You on the other hand have to be sure that anyone
who gains access can run the command, and _MAY_ be able to exploit
this for nefarious reasons. Alternative? Might have been nice to know
the distribution/release.

You could:

1. Do you have 'sudo' installed?

[compton ~]$ whatis sudo sudoers
sudo (8) - execute a command as another user
sudoers (5) - list of which users may execute what
[compton ~]$

2. compile a wrapper that logs the information, and then make that
wrapper SUID.

3. Fancy permissions and groups. You could create a special group
(see /etc/group) such as 'apache-wankers' and add the appropriate
users to that group. You then change the permissions of the binary
to '4750' (-rwsr-x---) and ownership to root:apache-wankers, which
allows execution of that binary as root, but only by members of the
group.

4. Throw caution to the winds, and change permissions of the binary
to '4755' (-rwsr-xr-x) which allows everyone to run the binary
(though there is no special logging).

Choice 1 is probably best, with choice 2 a poor second, and choice 3
a very distant third.

Old guy

Bill Woessner <woessner******.com> writes:

>I have a binary that I want any user to be able to stop and start (if
>you're interested, it's the Apache ActiveMQ broker). I thought I
>could just write a start/stop script that logs the PID and set it
>SUID. However, I've now learned that shell scripts can't be SUID. So
>I'm looking for an alternative.

>Any thoughts?
a) You write it in perl
b) you write a C wrapper for the script