scripty a s-bit

[Milos Urbanek]

On Fri, May 02, 2003 at 11:59:49AM +0200, Zbyněk Burget wrote:
> Zdravim vespolek,
> chtel bych se zeptat na takovou vec - mam napsany jeden primitivni script na
> mountovani a umountovani magnetooptickeho disku (jako zkratku prikazu). Ted
> jsem tomu scriptu zkousel nastavit s-bit v domneni, ze pak bude kdokoli moct
> ten disk mountnout nebo umountnout. Ale ouha - porad to funguje jenopm
> rootovi. Pro ostatni hlasi "permisin denied". Zkousel jsem vsechno mozne a
> precetl nekolik manu, ale bezvysledne Nastavovat s-bit primo mountu a
> umountu neni zrovna nejlepsi reseni. 

pro interpretovane skripty (vsechno co zacina #!) se berou za atributy
spoustene binarky atributy prikazove interpetu (ktery je uveden za tim #!).
aby vam to fungovalo tak jak potrebujete, musel byste trosku zalaborovat
se zdrojaky kernelu.

neco ve stylu tohodle unifikovaneho diffu, ktery je oproti souboru
s revizi
 $FreeBSD: src/sys/kern/kern_exec.c,v 1.218 2003/04/01 01:26:20 jeff Exp $

Milos

> Asi by se to dalo vyresit pomoci sudo,
> ale na te masine je jeste F-BSD 4.2 a soucasne sudo uz na tom nenainstaluju
> (nejaky problem s nejakou knihovnou).
> Nevite nekdo, jak by se to dalo vyresit?
> 
> Diky
> 
> Zbynek
> 
> 

-- 

-------------- next part --------------
--- kern_exec.c	2003-05-05 10:19:52.000000000 +0200
+++ kern_exec.c.suid	2003-05-05 10:19:19.000000000 +0200
@@ -156,11 +156,11 @@
 	struct proc *p = td->td_proc;
 	struct nameidata nd, *ndp;
 	struct ucred *newcred = NULL, *oldcred;
-	struct uidinfo *euip;
+	struct uidinfo *euip, *saved_euip = NULL;
 	register_t *stack_base;
 	int error, len, i;
 	struct image_params image_params, *imgp;
-	struct vattr attr;
+	struct vattr attr, saved_attr;
 	int (*img_first)(struct image_params *);
 	struct pargs *oldargs = NULL, *newargs = NULL;
 	struct procsig *oldprocsig, *newprocsig;
@@ -330,6 +330,8 @@
 	 * activate the interpreter.
 	 */
 	if (imgp->interpreted) {
+		saved_attr = *imgp->attr;
+		saved_euip = uifind(saved_attr.va_uid);
 		exec_unmap_first_page(imgp);
 		/*
 		 * VV_TEXT needs to be unset for scripts.  There is a short
@@ -462,6 +464,10 @@
 	    attr.va_uid;
 	credential_changing |= (attr.va_mode & VSGID) && oldcred->cr_gid !=
 	    attr.va_gid;
+	credential_changing |= (saved_attr.va_mode & VSUID) &&
+	    oldcred->cr_uid != saved_attr.va_uid;
+	credential_changing |= (saved_attr.va_mode & VSGID) &&
+	    oldcred->cr_gid != saved_attr.va_gid;
 #ifdef MAC
 	will_transition = mac_execve_will_transition(oldcred, imgp->vp,
 	    interplabelvalid ? &interplabel : NULL, imgp);
@@ -511,6 +517,10 @@
 			change_euid(newcred, euip);
 		if (attr.va_mode & VSGID)
 			change_egid(newcred, attr.va_gid);
+		if (saved_attr.va_mode & VSUID)
+			change_euid(newcred, saved_euip);
+		if (saved_attr.va_mode & VSGID)
+			change_egid(newcred, saved_attr.va_gid);
 #ifdef MAC
 		if (will_transition) {
 			mac_execve_transition(oldcred, newcred, imgp->vp,
@@ -603,6 +613,8 @@
 	 * Free any resources malloc'd earlier that we didn't use.
 	 */
 	uifree(euip);
+	if (saved_euip)
+		uifree(saved_euip);
 	if (newcred == NULL)
 		crfree(oldcred);
 	else