Michael C. Toren on Sat, 2 Jun 2001 16:43:04 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] permissions and setuid


> > I'm about to run out the door, otherwise I'd send some sample code.
> > Maybe later.
> 
> Would be appreciated.  I like to see it.

Here's a quick example, which hardcodes the UID's of users permitted to
execute a perl script into the suid C wrapper.  One disadvantage to this
approach is that you'll need to recompile each time you add or remove a
user, but this doesn't happen very often in our particular application.

The C wrapper would normally be installed owned by root, and with a mode of
4111 (suid root, executable by everyone, but no read permission by anyone).
Ofcourse, you'll want to change the UID's in the switch statement, and the
path to the perl script being executed before you attempt to compile.

Another way to go may be to use sudo (http://www.courtesan.com/sudo/), but I
don't have any direct experience with this myself, and the C wrapped pasted
below probably predates sudo's initial release.

HTH,

-mct

#include <stdio.h>
#include <syslog.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>

int main (void)
{
    struct passwd *pw;
    int uid = getuid();

    openlog("accounts", LOG_PID|LOG_NDELAY, LOG_ERR);
    pw = getpwuid(uid);

    if (!pw)
    {
        syslog(LOG_ERR, "Hmmm... Unknow user with uid %d ran account program.\n", uid);
        printf("And who are you?\n");
        closelog();
        exit(-1);
    }

    switch  (uid)
    {
        case 0:     /* root */
        case 4670:  /* Michael Toren */
        /* .. */
        break;

        default:
        {
            syslog(LOG_WARNING, "Unauthorized usage of accounts program attempted by uid %d (%s)\n", uid, pw->pw_name);
            printf("Access denied, dork\n");
            closelog();
            exit(-1);
        }
    }

    syslog(LOG_NOTICE, "User with id %d (%s) started accounts program\n", uid , pw->pw_name);
    closelog();
    setuid(0);
    seteuid(0);
    setgid(0);
    setegid(0);
    execl("/usr/local/bin/perl", "perl", "/something/something.pl", 0);
    perror("can't execl");
    exit(-1);
}