sh script pres binarku s SUID bitem

To	<czdebian-l zavinac debian bod cz>
From	"Jiří Jánský" <xJanskyJ zavinac seznam bod cz>
Date	Thu, 5 Feb 2004 18:23:59 +0100
Dobry den,
uz se to tu trozku rozebiralo a taky to neni vec, ktera by primo 
souvisela s debianem. Tak to prosim omluvte.
Jde o to, ze jsem se dozvedel, ze sh scripty ignoruje SUID bit.
A ja potrebuju cgi-bin script, ktery by restartoval squid server.
Pokusil jsem se tedy napsat kratky program v C, ktery
by pomoci funkce execvl() (nevim, jak je presny nazev,
je to "nadstavba" k funkci exec()) a pridelil mu SUID bit.
No a kdyz pak pod debianem apache zaadal o tento soubor
tak se squid server restartoval, ale apache napsal do prohlizece
chybu konfigurece a v logu spatnou hlavicku. V to dobu me 
to celkem nevzrusovalo, protoze jsem si myslel, ze je tam nejaka
mala chyba a hlavne ze to alespon trochu funguje. Ale horsi to bylo
na serveru z RedHatem, kde maji byt scripty cilove pouzity. Tam to
apache neposlal vubec a pri pokusu o spusteni z prikazove radky
jsem zjistil ze ten program, ackoliv ma nastaveny SUID bit,
nespousti ten shelovy script s privilegiemi roota. Smula.
Po blizsim proskoumenim, jsem si overil, ze SUID bit na binarky
funguje ale na shelovy scripty, ktery jsou spousteny binarkou
s SUID bitem ne. 
  Potrebuji totiz pres (nejlepe pres apache) restartovat squid 
server (treba pomoci teho script v /etc/init.d/squid restart).
Jedno z nabizenych reseni bylo periodicky zpoustet kontrolu
konfiguracniho soubory squidu a pri zmene squid restartovat.
To se mi ale nelibi, protoze je potrebe restartovat maximalne
do jedne minuty a kontrola zmeny souboru dela zatez pocitace
i kdyz se s nim nepracuje.
Pokud by nekoho zajimalo, proc restartovat debiani squid slo
a redhati ne, tak na konci jsem prilozil restartovaci scripty.
Mate nekdo nejaky navrch jek lze toto vyresit?
Za reakce predem dekuji        Jiri Jansky

_________________________________________________
debiani:

#! /bin/sh
#
# squid  Startup script for the SQUID HTTP proxy-cache.
#
# Version: @(#)squid.rc  2.20  01-Oct-2001  miquels zavinac cistron bod nl
#

NAME=squid
DAEMON=/usr/sbin/squid
LIB=/usr/lib/squid
PIDFILE=/var/run/$NAME.pid
SQUID_ARGS="-D -sYC"

[ ! -f /etc/default/squid ] || . /etc/default/squid

PATH=/bin:/usr/bin:/sbin:/usr/sbin

[ -x $DAEMON ] || exit 0

grepconf2 () {
 w="  " # space tab
 sq=/etc/$NAME.conf
 # sed is cool.
 res=`sed -ne '
  s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p;
  t end;
  d;
  :end q' < $sq`
 [ -n "$res" ] || res=$2
 echo "$res"
}

#
# Try to increase the # of filedescriptors we can open.
#
maxfds () {
 [ -n "$SQUID_MAXFD" ] || return
 [ -f /proc/sys/fs/file-max ] || return 0
 [ $SQUID_MAXFD -le 4096 ] || SQUID_MAXFD=4096
 global_file_max=`cat /proc/sys/fs/file-max`
 minimal_file_max=$(($SQUID_MAXFD + 4096))
 if [ "$global_file_max" -lt $minimal_file_max ]
 then
  echo $minimal_file_max > /proc/sys/fs/file-max
 fi
 ulimit -n $SQUID_MAXFD
}

start () {
 cdr=`grepconf2 cache_dir /var/spool/$NAME`
 case "$cdr" in
  [0-9]*)
   echo "squid: squid.conf contains 2.2.5 syntax - not starting!" >&2
   exit 1
   ;;
 esac
 maxfds
 umask 027
 cd $cdr
 start-stop-daemon --quiet --start \
  --pidfile $PIDFILE \
  --exec $DAEMON -- $SQUID_ARGS < /dev/null
 sleep 1
}

stop () {
 PID=`cat $PIDFILE 2>/dev/null`
 start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
 #
 # Now we have to wait until squid has _really_ stopped.
 #
 sleep 2
 if test -n "$PID" && kill -0 $PID 2>/dev/null
 then
  echo -n "Waiting ."
  cnt=0
  while kill -0 $PID 2>/dev/null
  do
   cnt=`expr $cnt + 1`
   if [ $cnt -gt 60 ]
   then
    #
    # Waited 120 seconds now. Fail.
    #
    echo -n " Failed.. "
    break
   fi
   sleep 2
   echo -n "."
  done
  [ "$1" = verbose ] && echo "done."
 else
  [ "$1" = verbose ] && echo "$NAME."
 fi
}

case "$1" in
    start)
 echo -n "Starting proxy server: "
 start
 echo "$NAME."
 ;;
    stop)
 echo -n "Stopping proxy server: "
 stop verbose
 ;;
    reload|force-reload)
 echo -n "Reloading $NAME configuration files: "
 start-stop-daemon --stop --signal 1 \
  --pidfile $PIDFILE --quiet --exec $DAEMON
 echo "done."
 ;;
    restart)
 echo -n "Restarting proxy server: "
 stop
 start
 echo "$NAME."
 ;;
    *)
 echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart}"
 exit 1
 ;;
esac

exit 0


________________________________________________________
redhati:

#!/bin/bash
# squid  This shell script takes care of starting and stopping
#  Squid Internet Object Cache
#
# chkconfig: - 90 25
# description: Squid - Internet Object Cache. Internet object caching is \
#  a way to store requested Internet objects (i.e., data available \
#  via the HTTP, FTP, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf

PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# check if the squid conf file is present
[ -f /etc/squid/squid.conf ] || exit 0

if [ -f /etc/sysconfig/squid ]; then
  . /etc/sysconfig/squid
else
  SQUID_OPTS="-D"
  SQUID_SHUTDOWN_TIMEOUT=100
fi

# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid
[ -z "$SQUID" ] && exit 0

prog="$SQUID"

# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \
 grep cache_dir |  awk '{ print $3 }'`
[ -z "$CACHE_SWAP" ] && CACHE_SWAP=/var/spool/squid

RETVAL=0

start() {
    for adir in $CACHE_SWAP; do
        if [ ! -d $adir/00 ]; then 
      echo -n "init_cache_dir $adir... "
      $SQUID -z -F 2>/dev/null
 fi
    done
    echo -n $"Starting $prog: "
    $SQUID $SQUID_OPTS 2> /dev/null &
    RETVAL=$?
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
    [ $RETVAL -eq 0 ] && echo_success
    [ $RETVAL -ne 0 ] && echo_failure
    echo
    return $RETVAL
}

stop() {
    echo -n  $"Stopping $prog: "
    $SQUID -k check >/dev/null 2>&1
    RETVAL=$?
    if [ $RETVAL -eq 0 ] ; then
        $SQUID -k shutdown &
     rm -f /var/lock/subsys/$SQUID
 timeout=0
  while : ; do
  [ -f /var/run/squid.pid ] || break
  if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
      echo
      return 1
  fi
  sleep 2 && echo -n "." 
  timeout=$((timeout+2))
     done
 echo_success
 echo 
    else
     echo_failure
 echo
    fi
    return $RETVAL
}    

reload() {
    $SQUID $SQUID_OPTS -k reconfigure 
}

restart() {
    stop
    start
}    

condrestart() {
    [ -e /var/lock/subsys/squid ] && restart || :
}

rhstatus() { 
    status $SQUID
    $SQUID -k check
}

probe() {
    return 0
}    

case "$1" in
start)
    start
    ;;

stop)
    stop
    ;;

reload)
    reload
    ;;

restart)
    restart
    ;;

condrestart)
    condrestart
    ;;

status)
    rhstatus
    ;;

probe)
    exit 0
    ;;

*)
    echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
    exit 1
esac

exit $?
Partial thread listing:
sh script pres binarku s SUID bitem
Jiří Jánský
- Tomas Znamenacek
  - Hans Ginzel
    - Tomas Znamenacek
- Pravděpodobné odpovědi
- Jiří Jánský