2

On Unixes (including Gnu/Linux) suid/sgid (or file capabilities) is the only, native (all other ways use this way), way to escalate privileges.

As a sysadmin, I like to write scripts as they are easy, and well adated to the task. However suid and sgid is not honoured for scripts and other interpreted languages.

Therefore I would like to find some alternatives. (I don't mind general solutions, or special cases).

ctrl-alt-delor
  • 27,993
  • I think I was able to work around this at some point by using a small C application with suid set which then loaded a shell script. Would something like this with for you? – Zhro Apr 16 '19 at 19:32
  • @zhro. I have updated the question. To explain why I like scripting languages. Your solution should not be discounted 100% (sudo falls into this category), but does pose some security problems. And why re-write the wheel. – ctrl-alt-delor Apr 16 '19 at 19:37
  • @ctrl-alt-delor Are you referring to UNIX (possibly de-facto) standards only ? else I believe each UNIX implementation has its own access control feature(s) in addition to the standard ones. E.g. Linux implements Posix ACLs plus its own Security Modules (AppArmor, SELinux, etc.), plus its own Capabilities (this latter being directly related to root/non-root suid/sgid functionalities) – LL3 Apr 17 '19 at 11:51
  • @LL3 I am not asking about access control. I am asking about privilege escalation (root/ and as you correctly point out, as do I in the question) capabilities. I understand what your comment is about. – ctrl-alt-delor Apr 17 '19 at 14:09
  • 1
    @ctrl-alt-delor :-) I'm sure you understand my comment. What I'm not sure is whether I fully understand what you'd like to be answered about: UNIX standard alternatives to privilege escalation capabilities (usable by shell scripts) ? or rather Linux-(or-other/all-UNIX)-specific ones? For example: Linux's Capabilities can be used by shell scripts through the capsh command. I might elaborate on that if it is on-topic with your question. – LL3 Apr 17 '19 at 17:04
  • @LL3 sounds good. I have a few, that I will add, but did not think of that. And no I did not understand (sorry I missed a not). – ctrl-alt-delor Apr 17 '19 at 17:08
  • @LL3 can you write up capsh? And we should tidy (remove) these comments. – ctrl-alt-delor Apr 17 '19 at 17:31

1 Answers1

2

There are a variate of methods, here are a few:

  • Use sudo in an ad-hoc way. This can be used by the admins (that have full sudo privileges).
  • Configure /etc/sudoers, to allow specific scripts to be run as sudo (without password, or by any user).
  • If all you want to do is bind to low-numbered-ports, then use authbind.
  • Write in a different language, that compiles to a statically linked executable. go, is quiet good, as easy-ish to use.
  • Write a launcher to do the privileged stuff, and drop privileges, before execing a new process to run the script.
ctrl-alt-delor
  • 27,993