-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/05/2012 10:42 AM, Alain Williams wrote: > I am building a new machine and am trying very hard to not do as I > have done before and switch selinux off. I am having problems > getting things to work. > > I want one user to, on login, run a script setuid root -- it needs > to be able to read all files in one part of the file system to back > that part up to an externally mounted USB drive. > > I have a small setuid root program (written in C) that just runs > the shell script. > > 1) Making that setuid prgram user's login shell does not work. I > could not see what to do. > > so I tried an intermediate step. > Why not use sudo? All of the code should work if he executed sudo. > 2) Giving the user a standard bash login shell, then running the > setuid root program at the command line does not do what I want. I > put 'id' at the start of the script and got: > > uid=501(backup) gid=502(backup) groups=502(backup) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > I was expecting to see a 'uid=0'. The script then fails since it > cannot do things that I want it to. > I do not think this would work with SELinux disabled either. A setuid app has all capabilities it will not automatically change to UID=0. > I am running CentOS 6. > > I have done a lot of reading, but end up going round in circles and > much of what I read seems to be out of date or refer to commands > that I do not have. > > I understand that I ought to perhaps produce a specific security > profile for the 'backup' user - but can't see how to start. > > Any pointers would be gratefully received. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8F7J4ACgkQrlYvE4MpobPLVACg2eUopZszFjVAJtJF+mjRLusN nuQAnjkZ5MBPbKRPYypGmEJLMM8jr7au =yyoL -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
