Home/ Questions/Q 9014417
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T03:30:08+00:00

I have a post-receive hook that call a bash script of mine (which will

  • 0

I have a post-receive hook that call a bash script of mine (which will pull the local repo and restart the Java server).

Here’s the owner info of the post-receive hook :

-rwsr-x--x 1 cyril devs   676 19 dec.  14:45 post-receive

As you can see, I set the setuid bit on this script in order to be run as cyril/devs also for other users.

The content of this script is rather simple :

echo "Running post-receive hook"
echo "Server will be up and running in about 1 minute"
/home/project/start_dev restart &

My script start_dev has those rights :

-rwsr-x---  1 cyril devs 1515 19 dec.  14:41 start_dev

Note: also the setuid.

If I push something to the server with the account cyril, it works perfectly.

If someone else, with an other account, push to the server, they got :

remote: /home/project/start_dev: line 52: kill: (11490) - Operation not allowed

(The kill is used to stop the instance.)

Why they have this errors, the script should be run as cyril, not the user, thus they should have the right to kill this instance, right?

What am I doing wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Apparently most Linux distributions disable setuid for shell scripts because of the massive security holes it can cause. More info here and from the setuid Wikipedia page.

    While the setuid feature is very useful in many cases, its improper use can pose a security
    risk if the setuid attribute is assigned to executable programs that are not carefully
    designed. Due to potential security issues, many operating systems ignore the setuid
    attribute when applied to executable shell scripts.

    One possible solution from the Tuxation page is to do the following:

    #include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
   setuid( 0 );
   system( "/path/to/script.sh" );

   return 0;
}

    Then setuid the resulting C program and use that as your hook. There’s also this commentary after that on the Tuxation page though:

    With all that said, running shell scripts with setuid isn’t very safe, and the distro
    designers had a pretty good idea of what they were doing when many of them disabled it.

    • 0