-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/05/2012 10:42 AM, Alain Williams wrote:
I am building a new machine and am trying very hard to not do as I
have done before and switch selinux off. I am having problems
getting things to work.
I want one user to, on login, run a script setuid root -- it needs
to be able to read all files in one part of the file system to back
that part up to an externally mounted USB drive.
I have a small setuid root program (written in C) that just runs
the shell script.
1) Making that setuid prgram user's login shell does not work. I
could not see what to do.
so I tried an intermediate step.
Why not use sudo? All of the code should work if he executed sudo.
2) Giving the user a standard bash login shell, then running the
setuid root program at the command line does not do what I want. I
put 'id' at the start of the script and got:
uid=501(backup) gid=502(backup) groups=502(backup)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I was expecting to see a 'uid=0'. The script then fails since it
cannot do things that I want it to.
I do not think this would work with SELinux disabled either. A setuid
app has all capabilities it will not automatically change to UID=0.
I am running CentOS 6.
I have done a lot of reading, but end up going round in circles and
much of what I read seems to be out of date or refer to commands
that I do not have.
I understand that I ought to perhaps produce a specific security
profile for the 'backup' user - but can't see how to start.
Any pointers would be gratefully received.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk8F7J4ACgkQrlYvE4MpobPLVACg2eUopZszFjVAJtJF+mjRLusN
nuQAnjkZ5MBPbKRPYypGmEJLMM8jr7au
=yyoL
-----END PGP SIGNATURE-----