0

I wrote this tiny script:

#!/usr/bin/env -S bash -xeuo pipefail
whoami
cd /repo && git fetch origin master && git merge -s recursive -X theirs origin/master

And set the u+s bit which I thought made it so that when running the script it would run as the user who owns the file:

chmod a=,u=rwxs,g=rx /usr/local/bin/force-update-repo

But when I switch to www-data and try to run it:

su www-data -s /bin/bash

It seems to run as www-data not root:

force-update-repo
+ whoami
www-data
+ cd /repo
+ git fetch origin master
error: cannot open .git/FETCH_HEAD: Permission denied

I have a process that's running as www-data and I want to give them elevated permissions to run this script. How can I do that?

mpen
  • 913
  • 1
    Thesetuid bit works only for binaries which are executed directly by the kernel. Scripts are read and run by the interpreter which means the setuid bit does nothing. – Artem S. Tashkinov Feb 07 '21 at 09:03
  • There is a Well Known Major Security Flaw that comes with setuid interpreter scripts. Modern systems disallow it. perl's taint system provides a level of safety. – waltinator Feb 08 '21 at 01:46

0 Answers0