PFSYSEUID and RHEL 5

Ron Kracht rmkracht at gmail.com
Mon Jun 8 13:34:53 PDT 2009 

On Monday 08 June 2009 03:32:09 pm Dave wrote:
> On Mon, Jun 8, 2009 at 2:36 PM, Fairlight<fairlite at fairlite.com> wrote:
> > Basically, the variable only makes a difference on systems where running
> > a command through SYSTEM results in the command being run by the user
> > filepro by default.  You can turn this behaviour -off-.
> >
> > You can -not- turn it -on- when the system is incapable of handling it by
> > nature.
> >
> > In the case of linux distributions, bash serves as /bin/sh.  It entirely
> > replaces stock Bourne shell.  Bash (since some vintage I can't
> > remember...maybe about 1.2?) -drops- all SUID privileges at start, unless
> > you specify a flag to prevent it.
> >
> > One problem: in this case bash is sitting between filePro and your target
> > program. filePro's SYSTEM() calls C's system(2), which invokes a copy of
> > /bin/sh.  There is no way to get that appropriate flag to bash without
> > hacking and recompiling glibc--and that would be bad, as it'd be a global
> > change.  The variable in question can't alter the behaviour of system(2);
> > it can only force a dropping of privileges before the system() on systems
> > where the privileges would carry on naturally (SCO).  Essentially, one of
> > the acceptable values is a complete no-op by its very nature.

Almost correct. filePro's system command calls /bin/sh  unless an alternate 
shell has been specified through the use of the environment variable PFSHELL.

....

>
> Just wondering... It's been suggested to me that ksh may be the way to
> go.  In my tests replacing /bin/sh with a symlink to /bin/ksh gives
> our developers the behavior they expect (files created with SYSTEM
> show an owner of filepro).  I'm a bit scared that re-symlinking
> /bin/sh is going to cause some unforeseen breakages somewhere else.
> Has anyone else running ksh as /bin/sh and what should we look out
> for?

The suggestion was to use ksh to run the necessary command.  Replacing bash 
with ksh system wide is overkill and can certainly cause some scripts to 
break.  Use PFSHELL to set the shell used by the system command to /bin/ksh 
before running the commands that require the shell to honor setuid .

Ron

More information about the Filepro-list mailing list