[Nix-dev] Setuid wrapper for bash script
Daniel Hlynskyi
abcz2.uprola at gmail.com
Wed Sep 14 23:04:03 CEST 2016
> You probably need to use "bash -p", otherwise bash will drop its root
privileges
> on startup.
Thanks, that's it
> Shell scripts cannot be setuid:
> http://stackoverflow.com/questions/18698976/suid-not-
working-with-shell-script
Thanks! Actually, I really missed the case when user could alter PATH with
custom `systemctl` and execute arbitrary code.
restartScript = pkgs.writeScriptBin "defenders" ''
#!${pkgs.bash}/bin/bash -p
[[ -z "$1" ]] && echo Specify operation: start, stop, restart, status
&& exit 1
${pkgs.systemd}/bin/systemctl "$1" defenders.service
'';
Still, I'm not sure whether I've done it right, maybe better would be to su
as root and clear shell variables?
> Hi. You could also consider writing a polkit rule or using sudo.
Probably you're right, I don't know how to restrict script execution to
specific group with setuid/setgid...
<http://stackoverflow.com/questions/18698976/suid-not-working-with-shell-script>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160914/e295b0ae/attachment.html>
More information about the nix-dev
mailing list