Enables or disables setuid programs from specified filesets
Synopsis
cm setsetuid [-path {filename | directory_name}...] [-state {on | off}] [-help]
Options
-path {filename | directory_name}
Names a file or directory from each fileset whose setuid status is to be changed. If this option is omitted, the
status is changed for the fileset containing the current working directory.
-state
Allows or disallows setuid programs from the filesets indicated with -path to execute with setuid permission. Specify on with this
option to allow setuid programs from the indicated filesets to execute with setuid permission; specify off with this option to disallow setuid programs from the
indicated filesets to execute with setuid permission. If this option is omitted, setuid programs from the filesets are allowed to execute with setuid permission (the
command has no effect if setuid permission was already enabled).
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The cm setsetuid command enables setuid programs from the indicated filesets to execute with setuid permission or prevents them from
executing with setuid permission. Indicate each fileset whose setuid permission is to be enabled or disabled by specifying the name of a file or directory in the fileset with the
-path option. The permissions are enabled or disabled on a per-fileset and per-Cache Manager basis. This command is commonly included in a startup file (/etc/rc or its equivalent)
to enable setuid programs at machine startup.
If on is specified with the -state option, or if the -state option is omitted, the Cache Manager allows setuid programs from the indicated filesets to execute with setuid permission. If off is specified with the -state option, the Cache Manager does not allow setuid programs from the indicated filesets to execute with setuid permission. By default, the Cache Manager does not allow setuid programs from a fileset to execute with setuid permission.
A setuid program is indicated by setting a mode bit associated with an executable file. While a setuid program executes, the person executing the program is treated as if he or she is the owner of the program. The effective user identification number (UID) of the executing program is the UID of the person who owns the program, not the UID of the person who initiated the program's execution. Thus, the person executing the program is granted the same permissions as the person who owns the program for the duration of the program's execution.
Note that setuid programs are effective only in the local environment. A setuid program can change only the local identity under which a program runs; it cannot change the DCE identity with which a program executes because it provides no Kerberos tickets. DCE does not recognize the change to the local identity associated with a setuid program.
The cm setsetuid enables or disables setgid programs from the indicated filesets at the same time that it changes the status of setuid programs. The cm getsetuid command displays whether the Cache Manager allows setuid and setgid programs from indicated filesets to execute.
Privilege Required
The issuer must be logged in as root on the local machine.
Examples
The following command enables setuid and setgid programs that reside on the fileset containing the directory /.../abc.com/fs/usr/jlw:
# cm setsetuid /.../abc.com/fs/usr/jlw
Related Information
Commands: cm getsetuid(8dfs)