writing logs in a file that needs root previlages
in [General Linux]
|
Prev: Ubuntu on lowram
Next: System Noise - pulsing whir
From: Rahul on 2 Jun 2010 23:30 I have a bash wrapper command with permissions: -rwxr-xr-x 1 root root Thus only root can modify this wrapper but any user can use it as a command. This is a simple bash script. Within this script I need to write a comment to a log file. I'd prefer if this log file was only readable / modifyable by root alone. Is there a way to do this? I tried giving the log file these permissions: -rw-rw-r-- 1 root root But then when I run the command as a regular user it seems to not be able to write to the log file: /opt/bin/qsub: line 33: /var/log/qstats.submit.rpn: Permission denied Of course, if I make the log file world writable all is OK but then the point behind keeping the logs secure is defeated. One way I was thinking of was a previlage escalation at the point the log needs to be written. But setuid seems to be a C call. Anyway of doing this in a bash script? Or maybe other ways out? -- Rahul
From: AZ Nomad on 2 Jun 2010 23:59 On Thu, 3 Jun 2010 03:30:09 +0000 (UTC), Rahul <nospam(a)nospam.invalid> wrote: >I have a bash wrapper command with permissions: >-rwxr-xr-x 1 root root >Thus only root can modify this wrapper but any user can use it as a >command. This is a simple bash script. >Within this script I need to write a comment to a log file. I'd prefer if >this log file was only readable / modifyable by root alone. Is there a way >to do this? >I tried giving the log file these permissions: >-rw-rw-r-- 1 root root >But then when I run the command as a regular user it seems to not be able >to write to the log file: >/opt/bin/qsub: line 33: /var/log/qstats.submit.rpn: Permission denied >Of course, if I make the log file world writable all is OK but then the >point behind keeping the logs secure is defeated. >One way I was thinking of was a previlage escalation at the point the log >needs to be written. But setuid seems to be a C call. Anyway of doing this >in a bash script? >Or maybe other ways out? sudo or syslog come to mind
From: Aragorn on 3 Jun 2010 00:20 On Thursday 03 June 2010 05:30 in comp.os.linux.misc, somebody identifying as Rahul wrote... > I have a bash wrapper command with permissions: > -rwxr-xr-x 1 root root > > > Thus only root can modify this wrapper but any user can use it as a > command. This is a simple bash script. > > Within this script I need to write a comment to a log file. I'd prefer > if this log file was only readable / modifyable by root alone. Is > there a way to do this? Yes, you can set the script's SUID bit so that whoever runs it, runs it with the privileges of the owner, i.e. root. However, depending on what the script does - we don't know that as you're not telling us - this may not be a valid option. The script might have some privilege escalation exploit. > I tried giving the log file these permissions: > -rw-rw-r-- 1 root root > > But then when I run the command as a regular user it seems to not be > able to write to the log file: > /opt/bin/qsub: line 33: /var/log/qstats.submit.rpn: Permission denied > > Of course, if I make the log file world writable all is OK but then > the point behind keeping the logs secure is defeated. > > One way I was thinking of was a previlage escalation at the point the > log needs to be written. But setuid seems to be a C call. Anyway of > doing this in a bash script? Just change the permissions on the executable - or eventually, if present, on the executable it calls upon to do the writing to the log - to include the SUID bit. -- *Aragorn* (registered GNU/Linux user #223157)
From: Robert Riches on 3 Jun 2010 00:30 On 2010-06-03, Rahul <nospam(a)nospam.invalid> wrote: > I have a bash wrapper command with permissions: > -rwxr-xr-x 1 root root > > > Thus only root can modify this wrapper but any user can use it as a > command. This is a simple bash script. > > Within this script I need to write a comment to a log file. I'd prefer if > this log file was only readable / modifyable by root alone. Is there a way > to do this? > > I tried giving the log file these permissions: > -rw-rw-r-- 1 root root > > But then when I run the command as a regular user it seems to not be able > to write to the log file: > /opt/bin/qsub: line 33: /var/log/qstats.submit.rpn: Permission denied > > Of course, if I make the log file world writable all is OK but then the > point behind keeping the logs secure is defeated. > > One way I was thinking of was a previlage escalation at the point the log > needs to be written. But setuid seems to be a C call. Anyway of doing this > in a bash script? > > Or maybe other ways out? Most *ix system disallow suid-root scripts, because there are too many ways for those to cause security problems. One option would be to write a very short C program that opens one file using an absolute path/filename, copies up to 50 or 100 or whatever characters from stdin to the file, then closes the file. Make the binary suid-root and call it from the script. There's probably some way of doing it with syslogd, but I don't know for sure. -- Robert Riches spamtrap42(a)verizon.net (Yes, that is one of my email addresses.)
From: Rahul on 3 Jun 2010 01:09
Aragorn <aragorn(a)chatfactory.invalid> wrote in news:hu7aj3$6ll$3 @news.eternal-september.org: > However, depending on what the script does - we don't know that as > you're not telling us - this may not be a valid option. The script > might have some privilege escalation exploit. > Here's the entire script. Not doind much except running the qsub command and then logging a bunch of basic stats. The qsub command is world executable. #################### #!/bin/bash LOGFILE=/var/log/qstats.submit.rpn TEMP_OUTPUT=`/opt/torque/bin/qsub $*` if [ $? == 0 ] then INPUTFILE=$1 OUTPUT="${TEMP_OUTPUT}" else OUTPUT="SubmitError" fi echo $OUTPUT DATE_VAR=`date '+%m/%d/%y_%H:%M'` DATE_VAR2=`date "+%s"` echo -ne "${OUTPUT};\t" >> $LOGFILE echo -ne "${DATE_VAR};\t" >> $LOGFILE echo -ne "${DATE_VAR2};\t" >> $LOGFILE echo >> $LOGFILE ######################### -- Rahul |