gabriel rosenkoetter on Sun, 4 Nov 2001 22:00:13 +0100 |
On Sun, Nov 04, 2001 at 02:46:35PM -0500, Bill Jonas wrote: > I'm not sure > how to pass things in on stdin, but command-line options would be like > above (ie, 'execl("/usr/local/bin/chronyc", "chronyc", "--password", > "blablabla", "online", (char *)0);' if that would work). You shouldn't have to do anything fancy to connect stdin from the shell straight through to the execl()ed process, provided the process on the far end of the execl() wants to listen to it. To connect, say, a file to the execl()ed process's stdin, you'd want something like: int fdesc; fdesc = open("<pathname>", O_RDONLY); close(0); dup(fdesc); close(fdesc); Before the execl(). Pipes between processes' standard file descriptors are a simple extension. Ymmv. Read the relevant man pages (rrmp?). > Now, I'm sure that gr will poke holes in this ;) (actually, I wouldn't > mind some constructive criticism; I'm not yet a C programmer but aspire > to be and haven't yet gotten around to it), but it seemed to work okay. > I never did get around to the project that this was created for. Well, if I must... ;^> Depending on your environment, what you describe won't work. Well. It'll work, it just won't be safe. That is, if your system saves uids the same way that Sys V does (read, Solaris, notably), you've not done enough to ditch the old uid (you have to fork(); exec(); twice so that it's not possible to climb the tree back up). This *might* also be true on BSD-esque systems. I don't remember. It's generally considered the Right Way to write daemons and suid stuff that needs to drop uid. But my knowledge of this is *really* rusty, and I'm not sure how much of what applies to Linux. (The guiding principle here is that you don't want the user to run your suid wrapper, send it a SIGTSTP or similar, then attach to it with ptrace or gdb, and find some clever-but-evil way to give themselves a shell. They need to not be the owner of the process immediately after its gone to uid 0 and *before* it's done anything non-trivial.) Granted, it would take an attacker who really knew what he was doing to exploit this, but it's usually best to assume that the attacker has infinite time and knowledge when writing anything in which security is a concern. Looking at how Postfix's uid-dropping stuff works could be very informative and would show how to do something that's completely portable. (Wietse Venema is *really* good.) -- ~ g r @ eclipsed.net Attachment:
pgp4T9dz45rss.pgp
|
|