[Mono-list] setuid behavior?

IBBoard ibboard at gmail.com
Sun Sep 15 18:45:02 UTC 2013 

Just to explain this:

Normally, you setuid an executable file and then run it. In the normal
case (native Linux binaries or shell scripts) then that is fine as the
thing runs directly.

In the case of Mono then you can't "execute" a .exe directly* and so you
need to run "mono my.exe". When you do that then Mono runs and loads the
.exe as the code, which means that as far as the OS is concerned then
/usr/bin/mono is the thing that runs and not my.exe. That also means
that mono would need to be setuid (or invoked as the right user) rather
than your exe.



Note: it is probably a *terrible* *idea* *™* to keep /usr/bin/mono as
setuid. It should be used sparingly at the best of times, and since Mono
runs arbitrary code for a vast range of apps (rather than being a single
fixed-purpose binary, like cat, vim or visudo or something) then you're
opening yourself up to huge issues and security risks by running it
setuid the whole time. It is much better to wrap it in a no-args shell
script and setuid that.



* Some distros will set it up so that it looks like you're executing it
directly, but it uses a wrapper method that just does the "mono my.exe"
for you -
http://askubuntu.com/questions/20246/running-a-mono-program-without-typing-in-mono-foo-exe



On 13/09/13 06:51, Ian Norton wrote:
> For setuid on the program to work you'd have to setuid mono itself.
> Depending on your deployment scenario you could mkbundle your program
> and setuid the result.
> 
> 
> On 11 September 2013 23:32, mickeyf <mickey at thesweetoasis.com
> <mailto:mickey at thesweetoasis.com>> wrote:
> 
>     I have an application that uses a udp socket. If I run it "sudo mono
>     myapp.exe" it works fine. If I leave off the sudo it fails when
>     attempting
>     to bind the socket - this is not a surprise.
> 
>     However, when change the owner to root and setuid on myapp.exe, it still
>     fails.
> 
>     Is this what I should expect, and what is the preferred way to run this
>     without actually being root?
> 
>     thanks
> 
> 
> 
>     --
>     View this message in context:
>     http://mono.1490590.n4.nabble.com/setuid-behavior-tp4660850.html
>     Sent from the Mono - General mailing list archive at Nabble.com.
>     _______________________________________________
>     Mono-list maillist  -  Mono-list at lists.ximian.com
>     <mailto:Mono-list at lists.ximian.com>
>     http://lists.ximian.com/mailman/listinfo/mono-list
> 
> 
> 
> 
> _______________________________________________
> Mono-list maillist  -  Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
>

More information about the Mono-list mailing list