Does openSUSE chmod support the setuid bit?

Hi,
I have tried to set a program (rasr)



 chmod 4777 rasr

But the changes don’t seem to work as desired.
Is this supported?
Thank you,
Augie

On 12/04/2012 03:16 PM, AugieHenriques wrote:
>
> Hi,
> I have tried to set a program (rasr)
>
>
>
> Code:
> --------------------
>
>
> chmod 4777 rasr

Supported, but not for scripts (for example). So what is rasr?

Hi.
Not interested in scripts! :slight_smile:
It’s a program to “run as root”, rasr!
For example, I have a program, “io” to access programmed I/O.
In the past we just set the permissions and then a normal user (non-root) can run it without any issues.

I don’t want to use “sudo” nor become root all the time!

Thank you,
Augie

Please illustrate your “story” with real computer facts. Not only the command you gave without any reaction from the system, but something like a complete session with

ls -l rasr
chmod 4777 rasr
ls -l rasr

to show us what the status was, what you did and what the status became.

Allways copy/paste from your terminal window including the prompt, the command(s), the output end the next prompt. That will tell us much more then you can do with “story telling”.

On 12/04/2012 10:36 PM, AugieHenriques wrote:
> I don’t want to use “sudo” nor become root all the time!

sure, it is your machine and your data, but if you want to avoid
operating procedures which makes Linux more secure than most, then why
not just run that other system and avoid sudo and root altogether?

i mean, if you bypass the security features why go to the trouble to run
an industrial strength product…

by the way, where did you get this “rasr” program? (google turns up zero
on it…)


dd

On 2012-12-04 22:36, AugieHenriques wrote:
>
> Hi.
> Not interested in scripts! :slight_smile:
> It’s a program to “run as root”, rasr!
> For example, I have a program, “io” to access programmed I/O.
> In the past we just set the permissions and then a normal user
> (non-root) can run it without any issues.

Of course it works. See:


Telcontar:~/tmp/p # l dummy
-rw-r--r-- 1 root root 0 Dec  4 22:54 dummy
Telcontar:~/tmp/p # chmod u+xs dummy
Telcontar:~/tmp/p # l dummy
-rwsr--r-- 1 root root 0 Dec  4 22:54 dummy*
Telcontar:~/tmp/p #

Work it out in octal if you prefer.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Hi,
I understand about the security issues.
These system will be isolated, no connection to the real world.

This is my own code.

    sprintf(buffer, "/bin/cp %s /sea/bin/%s", gFileName, gFileName);
    system(buffer);
    
    // if the file is not there, lets wait a little
    // else the chown, chgrp and chmod will complain
    usleep(10);
        
//printf("%s
", buffer);
    sprintf(buffer, "chown root /sea/bin/%s", gFileName);
    system(buffer);
    sprintf(buffer, "chgrp root /sea/bin/%s", gFileName);
    system(buffer);
    sprintf(buffer, "chmod 4777 /sea/bin/%s", gFileName);
    system(buffer);

These are the permissions in the proprietary bin2 directories.

/sea/bin2# ls -l
total 48
drwxrwxrwx 2 root root  4096 Dec  4 17:22 ./
drwxrwxrwx 5 root root  4096 Feb 22  2012 ../
-rwxrwxrwx 1 root root 10081 Dec  4 17:23 casr*
-rwsrwxrwx 1 root root 10081 Dec  4 15:20 casr2*
-rwxrwxrwx 1 root root    41 Feb 22  2012 cleanall*
-rwsrwxrwx 1 root root 10047 Dec  4 15:08 ctol*
/sea/bin2# 


This is what I get when I run the code above!

/src/casr> casr2 casr
chown: changing ownership of ‘/sea/bin2/casr’: Operation not permitted
chgrp: changing group of ‘/sea/bin2/casr’: Operation not permitted
chmod: changing permissions of ‘/sea/bin2/casr’: Operation not permitted
/src/casr> 

Thank you,
Augie

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> This is what I get when I run the code above!
>
>
> Code: -------------------- /src/casr> casr2 casr chown: changing
> ownership of ‘/sea/bin2/casr’: Operation not permitted chgrp:
> changing group of ‘/sea/bin2/casr’: Operation not permitted chmod:
> changing permissions of ‘/sea/bin2/casr’: Operation not permitted
> /src/casr>
>
> --------------------

Did you run your command, which tries to do the chmod-ing, as a user
with privileges to do the chmod-ing? A regular user cannot do this to
just any file any more than a regular user can just delete any file; you
must have rights over that file in order to do something to it. Run
your program that makes this change as ‘root’, or else just do it via
the command line for now to prove it’s your program’s lack of rights at
fault for these errors.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQvn36AAoJEF+XTK08PnB5egUQANIYK+I6KJc/GHxueNJx3mHV
834NE5poxsDbVBv/H1RmcL7gZcwOyI67K2Zj2pjs5ALmM8hJsD1KDGIR0rzRZquu
iZpo7PTLmz5tuvo9Gbgct301WZvxmkAFLGHUvRZzZUr+t99pzlBN6/jsA9DFjOcN
PDho9X5y5YxR9YuXeTUZJVIs/3o20K37oNQ2z7UOA0D74xlnfQKsiLTPGjFhoEIn
fuPDwMbMbgh6+NrAa3Fv3+75+X150E1Az3PNNNLbsx6QYW9Lx5aUQphuOgNVWf/v
Mv94OuGnuB3kfGOJ5eJLAsWn/mSRODYxvKDzlwf+H7MuAZ+WgeRJVIkINiqEVV8Z
7IxMCc/Lcl2M3rwS6uBA3kwPUjzgDu18Wfu4Git6AMNvjGYYnSfKLIguq69xk2zx
1RkqezQCkl4AquGqEUOhBpahvszuJOuYcT2kvC5KgprcjG5EyeRMCMh8pDfuK20m
GgKYO21MhX2taeTKY3IF5jNBX52NvoWkUNj2S0lmZYuR+fSChsbNhk/cW+6GK/bi
bTHfX57I5r+KbhZSF+0JNLGM96nSu9sRu4MVq87OtXbBEBHITWcjPLVE1dyzDhMX
e1VhN79OOBDPxkEuabYQtxTXHf2BG9l/x00uppVDWatTerL3Vw7X1rgrVZqBN9Uj
CVer4YEg5owZt4b8P/tN
=yOhd
-----END PGP SIGNATURE-----

On 2012-12-04 23:26, AugieHenriques wrote:

> This is what I get when I run the code above!
>
>
> Code:
> --------------------
> /src/casr> casr2 casr
>
> --------------------

And you are surprised? casr is owned by root, and you are not root.

Which is why Henk requested you posted the full command prompt before
and after and all in between. And you did not, but still I can jump to a
conclusion having an educated guess with incomplete data. This time.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Exactly what Carlos says. Only thing ist hat I refuse to unhide my educated guess until you show yourself where you did something wrong.

By the way, your remark about your system not connected to the “real world” is rather stupid. By forcing yourself to use root only when needed, and to use the root password te become root, you not only protect against “foreign” intruders, but also against local intruders and, most important, against yourself. You will not like my next forecast: the same attitude that brought you to the idea of not needing a root password will bring you into borking your system rather soon. It is the attitude of infallability, much more dangerous then the “real world”.

How do I manage the user privileges?

Thank you,
Augie

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> How do I manage the user privileges?

This question seems out of place, so I think you’re asking something
that I cannot divine from this short sentence. Exactly what do you
mean? Your program uses the chmod command which is one of the main ways
to modify user privileges, along with chown, chgrp, and setfacl.

The way to fix your problem is as stated before:

“Run your program that makes this change as ‘root’…”

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQv3CzAAoJEF+XTK08PnB5WJIP+gLgH3pe4wq9hge0lAmqVj/L
55YcCtEUKKYX401+ugeFXYCRkskHGNr/+1Xi0mimbzoc/CZyB7hlU5NFGt1ic23R
Z2iBJ+KD8CPk+nGOCBfDQ1RB7uRwEYgl/5vdZ3PruehmERSWTaOmK/9s97wRkOWA
zn8CZnTLpUM31pEsN75aI82mAY3YMEGF6eOLGC/j5UegqH5xRGHFvuErvYeYlEHf
EmZSXm/B5+k68BVQzFWxRSvJAFsjAuX2Jw8B+on5Zq3ClQ2oLJP86wSU8ZP4GmUG
UfpaSZw7dWmH+Bzs0A4O3HgPjrw4tHCAOag9OzTJel14lwdDgY6NEX4c3FyfZdkK
L2D08wRZZwbPQSCWQF5DzMtcoPLqOQoMdE+zmFF2Hw2ebcvsUgmHndGVTfKrhS6Z
V4wCNUKhdgOHGdnfk0mJPunAjMLm1KVE2YtrYalHRvT0pEAV+O9vsCcet35NIRaa
sbLIvPv7McUNk/FmEGp5qYkwbBgQlrcyEtmbH9NWX+XrfwWrTjPeFYyw/TKicmE6
eYUPAPB8HLQ3TWcCoH3R4WQWk7OeRKJraeQGnjLZ0X2xK3Ehmo6Vh5n5qPqEfXRL
Y9uoF1lqNMr8Oc1V8Ao0U1lS68cngOUR9+CrROBy73mPV9/g/qWGEsFDrULIn3MV
0csIn4u3SR873czWOBjY
=Sf9w
-----END PGP SIGNATURE-----

Hi,
He said a user with privileges can do what I was trying to accomplish.
A normal user no.
So, I would like to understand the differences as far as this is concerned and how to manage/change it.
That is why I asked about a user with privileges.
Also a bit confused the user and group administration as far as assigning a primary group and other groups.
If the user augie, has “sea” and “root” groups does that make it privileged?
I have tried it but it doesn’t seem to work.
Thank you,
Augie

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is only one “privileged” user normally and that is ‘root’… all
other users are unprivileged as they should be. The reason ‘root’ is
privileged is because it owns the / filesystem, and also in many cases
because its UID is zero (no, you cannot/shouldn’t try to give another
user UID zero as well as UIDs are unique (‘U’ == Unique)). As a result
any permissions from this point on come from owning a file or directory.

In your case the files you are trying to modify are user-owned by
‘root’, and since you are trying to set the SUID bit it is likely that
is how you would like things to stay, but that means that in order to
change that file’s permissions you must either be the user-owner (which
happens to be ‘root’) or the privileged user (also ‘root’).

Changing permissions on a file or directory is the domain of the
user-owner of that file or directory. Group-owners (the groups listed
on files or directories) are given rights, based on the assigned
permissions, to read/write/execute that file or directory (or its
contained files in the case of a directory) but the group-owner does not
have the ability to change permissions like the user-owner does.

A user can be a member of as many groups as they’d like, and they get
the rights that come from being a member of that group regardless of
whether that group is their primary group or one of their other groups.
The names of groups are as irrelevant as the names of users and so hey
have no significant when comparing them to other names in a system.
Specifically, the ‘root’ group is given a lot of read rights, but
typically has few rights permitting members to change anything. A
member of the ‘root’ group is very trusted, but does not usually have a
lot of power. Another “powerful” group is often named ‘wheel’ for
whatever reason (I do not know the history); specifically this group is
listed as an example of a user given more power via sudo.

In order to make a common/weak user privileged you can either give the
user the ‘root’ password or enable them to do things with ‘root’
privileges using something like sudo or a similar program (Novell/NetIQ
has a product called Privileged User Manager which does this very well,
for the record). Basically this lets you call commands as I specified
earlier with ‘sudo’ and, for that one command, a user can have the
rights of the user specified in the /etc/sudoers file (typically ‘root’
rights). The benefit is that you can give out access granularly so that
a user with assigned tasks of Apache Tomcat administration can have
rights to restart that service while not having rights to restart other
services or the entire system.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQv4CyAAoJEF+XTK08PnB5K2sP/jz/xHLqDUJhCvSTzZ+OyMzK
r8hDuMhiOrv9ULzTVR7peeKvADywiCGHul00wRKlznevSqiWuWArxmm7YVEZqEzy
ykrZzP3upMYIn7nwkk5IOUk7AY+So8yccu1U6lpvrCq795/w7tEmd0dGDTGkT+km
0lPIHWREHJc77j5DFcYafcubAn9FYHHnbllxLo+/xSuiPijO/vaL3nGzRCmDkHUO
b9kfg4/EW/PPkm0N6PMgDpFabbQ6z022caaFNQnPd8MZhXZoli/4MQFotLG7rHqX
6TJ2mmWf6D89wFnAzBzA74BID9NmDeShgKpby4dJxhkFLn2JDQfCiL67t8ZBqSY2
HI0zkFZfdI6mrGSTWcjbRb5hIrO2rCK2Eg4Rd2hYklx8b/p7NcbysgSi6bUgy68Z
SV0BUhZOoDdpFfVcoaBaUyHHBlcaloywXf/oUWUH3ONshFCQLAnCBZQmxHZCPDbP
eMY9tapDA/VXC3ajVBfrPAiPuc3tw8+FFaeoLxZl9iCXyK/VO3kkkmG//fwrjTC5
3nIiO9vcWJyt1baWbclaRKmqtEkYsstcvF11tFKMHEOcOFVDSSYVF6pmzmb9OZQN
IGOoWjtzCwcCF23xP7mFieaIzTVq/SrwpGQWl++pMYmUgtr4JiyASroLyKYcv3Bv
vphz8Him+TUGUAqjZAA+
=kyqk
-----END PGP SIGNATURE-----

On 2012-12-05 17:26, AugieHenriques wrote:

> That is why I asked about a user with privileges.
> Also a bit confused the user and group administration as far as
> assigning a primary group and other groups.
> If the user augie, has “sea” and “root” groups does that make it
> privileged?

He will be able to chmod a file belonging to root, using group
“privileges”, only if the chmod command is itself setgid.

> I have tried it but it doesn’t seem to work.

Because it is defined not to work the way you think, but the way it is.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Hi,
Thank you very much for the detailed information.
Augie