[TriLUG] Help with setuid C wrapper script

Ron Kelley rkelleyrtp at gmail.com
Sun Oct 10 09:52:17 EDT 2010 

In this specific case, I need a specific (non-root) user to run the commands "tail -100 /var/log/messages" and "tail -50 /var/log/secure" without requiring a password prompt.  Since the messages and sure files are not viewable by non-root users, sudo will not help here.  I tried various incantations of sudo to make this work and had to resort to a wrapper script instead.  In addition, I want a wrapper that I can use to expand the command set without mucking with sudo.


-Ron







On Oct 10, 2010, at 9:30 AM, Clay Stuckey wrote:

> Why use C when sudo is designed for just that? 
> 
> --
> Clay Stuckey
> (843) 469-5467
> cstuckey at govsg.com
> claystuckey at gmail.com
> 
> On Oct 10, 2010, at 9:04 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
> 
>> Greetings all,
>> 
>> I need to allow a non-root user to run a couple of system commands and would like to use a setuid C wrapper binary.  I have searched over the 'net and have found the following sample code.  Unfortunately, I get segmentation faults if no command arguments are passed in.   Since I am not a C programmer, I was hoping someone could help me fine-tune the utility.  
>> 
>> For some reason, this code requires the "-v" CLI argument.  I would prefer to just pass in the necessary arguments without the "-v".  In addition, if no arguments (or, unknown/invalid args) are passed in, I want the utility to exit immediately.  I want the ability to add additional commands in the future, so I need it to be flexible enough to parse the args instead of writing a single wrapper per external command.
>> 
>> Example:
>> 
>> #> wrapper my_command
>> <runs the "my_command" command>
>> 
>> #> wrapper another_command
>> <runs the "another_command" command>
>> 
>> #> wrapper 
>> <exits immediately>
>> 
>> #> wrapper -h
>> <exits immediately - no error output>
>> 
>> 
>> ---------------------------------------------------------------------------------------------------------------------------------------
>> #include <stdio.h>
>> #include <sys/types.h>
>> #include <unistd.h>
>> #include <signal.h>
>> #include <strings.h>
>> #include <stdlib.h>
>> 
>> /********************************************
>> * Inspired by: 
>> * http://linuxshellaccount.blogspot.com/2007/12/securing-suid-programs-using-simple-c.html *
>> ********************************************/
>> 
>> /* Define global variables */
>> 
>> int gid;
>> 
>> /* main(int argc, char **argv) - main process loop */
>> 
>> int main(int argc, char **argv)
>> {
>> 
>>  /* Set uid, gid, euid and egid to root */
>> 
>>  setegid(0);
>>  seteuid(0);
>>  setgid(0);
>>  setuid(0);
>> 
>>  if ( strncmp(argv[1], "my_command", 11) == 0 ) {
>>     if (execl("/usr/local/bin/my_command", "my_command", "-v", NULL) < 0) {
>>        perror("Execl:");
>>     }
>>  } else if ( strncmp(argv[1], "another_command", 15) == 0 ) {
>>     if (execl("/usr/local/bin/another_command", "another_command", "-v", NULL) < 0) {
>>        perror("Execl:");
>>  }
>>  } else {
>>  exit (1);
>>  }
>> exit (0);
>> }
>> ---------------------------------------------------------------------------------------------------------------------------------------
>> 
>> 
>> 
>> 
>> 
>> Thanks for any help,
>> 
>> -Ron
>> -- 
>> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
> -- 
> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions

Thanks,

-Ron
rkelleyrtp at gmail.com

More information about the TriLUG mailing list