Sticky bit enabled Script can't write to a root file

Question

I have 2 files in the /tmp/.

The first one is an empty file named "file" with permission -rw------- and owner root:root.
The second file is named "script" which is a simple Ruby script with permission -rwsr-xr-x and owner root:root. The contents of the script file is:

#!/usr/bin/env ruby
$-v = true

IO.write( File.join(Dir.pwd, 'file'), 100.times.map { rand(97..122).chr }.join << ?\n )

The file "file" has the same permission as the /etc/shadow file:

# ls -l /etc/shadow
-rw------- 1 root root 1045 Sep 22 04:13 /etc/shadow

# ls -l file
-rw------- 1 root root 6 Nov 29 12:22 file

The ruby script "script" has the same permission as the passwd command:

$ ls -l $(type -p passwd)
-rwsr-xr-x 1 root root 63624 Nov 13 22:28 /usr/bin/passwd

# ls -l script
-rwsr-xr-x 1 root root 78 Nov 29 12:22 script

I can run ./script as root which replaces the contents of the file "file" with some random string.

But when I run ./script as a non-root user, Ruby raises Errno::EACCES.

Can I write to the the root writeable file "file" as non-root user by correctly setting up the SUID permission?

you are talking about suid bit. https://www.thegeekdiary.com/what-is-suid-sgid-and-sticky-bit/ — Chaoxiang N, Nov 29 '19 at 14:43
Suid bit is ignored on scripts (executable files with shebang interpreter). — kupson, Nov 29 '19 at 19:53
If I remove the #! line, then <1> it's not recognized as a Ruby file <2> Running it with Ruby interpreter also raises Errno::EACCES — S.Goswami, Nov 29 '19 at 23:16
I have also tried it with the Crystal programming language. The compiler produces compiled binary. The program writes to file. I can just execute that to write to the file a random string, but I am getting permission error when non-root users are trying to access the file. I am surely doing something wrong? Otherwise how does passwd not raises `Errno::EACCES` (assuming it's in C) when non-root users run it? — S.Goswami, Nov 30 '19 at 04:33
Tutorials like https://www.thegeekdiary.com/what-is-suid-sgid-and-sticky-bit/ and the others I have seen teaches how to set sticky bit, but they don't demonstrate the purpose of doing so. They don't test that the files are writeable. So I am seeking the help of serverfault... — S.Goswami, Nov 30 '19 at 04:34

gm3dmo · Accepted Answer · 2019-11-29T07:54:04.187

2

You could try using an Access Control List (ACL) instead. In the command below I (dmo) give the user bob read/write access to a file called test:

$ setfacl -m u:bob:rw test

Now ls shows a + sign at the end of the permissions to indicate that an ACL is in effect on a file.

$ ls -l
total 4
-rw-rw-r--+ 1 dmo dmo 0 Nov 29 07:22 test

To see what the ACL allows use getfacl:

$ getfacl test
# file: test
# owner: dmo
# group: dmo
user::rw-
user:bob:rw-
group::rw-
mask::rw-
other::r--

As you can see bob now has the write access he needs.

If you want to remove the ACL you can use setfacl --remove-all:

$ setfacl --remove-all test
$ ls -l
total 0
-rw-rw-r--. 1 dmo dmo 0 Nov 29 07:22 test

There are some good tutorials around on ACL's which are an often overlooked feature: https://linuxconfig.org/how-to-manage-acls-on-linux

Finally, be very careful of who you allow to write to files owned/read by the root user.

edited Nov 29 '19 at 07:54

answered Nov 29 '19 at 07:29

gm3dmo

That works. but how do I revert / undo the effect of setfacl command? – S.Goswami Nov 29 '19 at 07:40
1

Answer updated to add remove ACL command. – gm3dmo Nov 29 '19 at 07:54
I am wondering why it is not working (as root) on my second partition with Nil file system mounted on /mnt/ – S.Goswami Nov 29 '19 at 08:28
1

It's possible NILFS does not support ACL? It does say "Basic POSIX file system features" here: https://en.wikipedia.org/wiki/NILFS. You can try adding -o acl to the mount options. – gm3dmo Nov 29 '19 at 21:43

1 Answers1