1. suid/sgid did not work for bash/sh script, but only for binary executable file.
2.suid/sgid does not inherit to the child process. So before fork other process with the original file suid, we need setuid/setgid.
3.wrapping the script with fellow binary file:
//test.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
If(0!=setuid(geteuid()))
Printf(“setuid error”);
If(0!=setgid(getegid()))
Printf(“setgid error”);;
system("/bin/sh ./firewall.sh");
//execl("/bin/sh","./firewall.sh ",0);
return 0;
}
For example, its binary file is test, then
sudo chown root test
sudo chgrp root test
sudo chmod u+s test
Then, execute test, firewall.sh will be executed well.
Reference:
http://www.softpanorama.org/Access_control/Permissions/controlling_suid_files.shtml
Practical UNIX and Internet Security, Second Edition - O'Reilly Media
http://en.wikipedia.org/wiki/Setuid