SMS Server Tools 3
This site is hosted by Kekekasvi.com
 Menu
Basic information:
Additional information:
Support:
Get SMS Server Tools 3:
Additional Options

 Sponsored links

 Search
Custom Search

 Visitor locations
 
 SMS Server Tools 3 Community
Welcome, Guest. Please login or register. Fri Sep 22, 2017 11:35
SMSTools3 Community » Feature requests Bottom

[PATCH] Use sendsms script without root privileges

Login and Post Reply

Page:  1

Author Post
Member
Registered:
May 2013
Location: Helsinki, Finland
Hello.

Please find below a patch for the sendsms script, making it work without superuser privileges.

Currently, the sendsms script must execute with root privileges because it invokes chown(1). It can be made available for other users either by setting the SUID bit or via sudo(8). The former method is a well-known security risk, and the latter is inconvenient because it complicates the non-interactive use of the sendsms script, e.g. from other scripts.

The patch improves the situation by allowing the members of the smsd group to run the script without escalated privileges. The actual names of the user and group of the smsd process may vary and are therefore determined from the inode of the outgoing message directory.

The old authorization mechanism based on MD5-hashed keys is a bit pointless in my opinion, so the patch proposes its removal. With sudo, authorization is better handled via the sudoers(5) file, and with SUID bit set, you can basically consider your Linux and most UNIX systems already compromised.

There is one problem in the patch, though. When run as non-root user, the contents of the submitted message are visible to other members of the group as well, at least for a short period of time before it is sent. But as long as message submission in based on a shared directory, I cannot really see a way around this. One secure solution would be to implement submission via a socket. If someone thinks that this kind of visibility is a bigger security problem than requiring escalated privileges for the script, he can keep running the script as root, in which case the updated script will still invoke chown instead of chgrp(1) and chmod(1).

BR,
Kaarle



Member
Registered:
Nov 2013
Location: France
Hi.

Thank you for the patch but I have a problem.

When I send the sms the file go and stay to the directory outgoing.



I put my user in the group smsd


Can you help me please ?

Login and Post Reply

Page:  1

SMSTools3 Community » Feature requests Top

 
Time in this board is UTC.  

Privacy Policy   SMS Server Tools 3 Copyright © Keijo Kasvi.