On 2004-09-21 11:28:17 +0200, Stefan Franck wrote:
> I have a post-commit script which checks out any www-resources commited
> into the repository on the web server. The script works fine as long as
> daemon (the executor) has writing permissions on the web server. Since
> this is quite unsafe, I wanted to use SGID. Thus the script always runs
> with my group, having perms to write on the webserver but the daemon
> itself does not.
> The problem is that by adding the SGID flag to the script, it won't be
> executed anymore. Any ideas why that happens, and how the problem could
> be solved?
Please don't take the following as gospel. Someone with more in-depth
of Linux permissions can probably do better. This is just what I've
discovered by poking around.
SGID doesn't work on scripts (for security reasons, I guess). You would
have to make a small SUID root executable that sets the right GID and
calls the script.
Here's an example:
echo -n "Group: "
date >> /home/danello/test.txt
int main(char** argv)
extern int errno;
/* 501 is group danello */
if( setgid(501) == -1 )
printf( "setgid failed with error %i\n", errno );
/* The file we have to execute as group danello */
return system( "/tmp/test.sh" );
# gcc -o test test.c
# chown root:root test; chmod 4755 test
# ls -ld /home/danello /home/danello/test.txt /tmp/test /tmp/test.sh
drwxr-x--x 140 danello danello 8192 Sep 21 13:40 /home/danello/
-rw-rw-r-- 1 danello danello 174 Sep 21 13:39 /home/danello/test.txt
-rwsr-xr-x 1 root root 11543 Sep 21 13:32 /tmp/test
-rwxr-xr-x 1 danello danello 67 Sep 21 11:52 /tmp/test.sh
# su - nobody
$ tail -n 1 /home/danello/test.txt
Tue Sep 21 13:39:25 EDT 2004
Tue Sep 21 13:39:45 EDT 2004
I am the sound a balloon makes falling into the sky;
the sweat of a lump of ice in a summer river.
Received on Tue Sep 21 19:55:59 2004
- application/pgp-signature attachment: stored