[TriLUG] Help with setuid C wrapper script

Ron Kelley rkelleyrtp at gmail.com
Sun Oct 10 10:50:48 EDT 2010 

Appreciate the info, but this is not what I want.  I don't want the user added to the wheel group.  I just want a single user to be able to tail the /var/log/messages (and other log) files.


-Ron



On Oct 10, 2010, at 10:43 AM, Clay Stuckey wrote:

> %wheel ALL=(ALL) NOPASSWD: ALL
> 
> Add the user to the wheel group. This gives all root commands. You may consider restricting their access to the specific commands. 
> 
> --
> Clay Stuckey
> (843) 469-5467
> cstuckey at govsg.com
> claystuckey at gmail.com
> 
> On Oct 10, 2010, at 10:35 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
> 
>> What is the syntax in your /etc/sudoers file?
>> 
>> 
>> 
>> On Oct 10, 2010, at 10:30 AM, Clay Stuckey wrote:
>> 
>>> Sudo is fine for that. It gives you root privileges. Ownership will not be an issue. I'm not sure what you did but it works great for me without a password. 
>>> 
>>> --
>>> Clay Stuckey
>>> (843) 469-5467
>>> cstuckey at govsg.com
>>> claystuckey at gmail.com
>>> 
>>> On Oct 10, 2010, at 9:53 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
>>> 
>>>> In this specific case, I need a specific (non-root) user to run the commands "tail -100 /var/log/messages" and "tail -50 /var/log/secure" without requiring a password prompt.  Since the messages and sure files are not viewable by non-root users, sudo will not help here.  I tried various incantations of sudo to make this work and had to resort to a wrapper script instead.  In addition, I want a wrapper that I can use to expand the command set without mucking with sudo.
>>>> 
>>>> 
>>>> -Ron
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Oct 10, 2010, at 9:30 AM, Clay Stuckey wrote:
>>>> 
>>>>> Why use C when sudo is designed for just that? 
>>>>> 
>>>>> --
>>>>> Clay Stuckey
>>>>> (843) 469-5467
>>>>> cstuckey at govsg.com
>>>>> claystuckey at gmail.com
>>>>> 
>>>>> On Oct 10, 2010, at 9:04 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
>>>>> 
>>>>>> Greetings all,
>>>>>> 
>>>>>> I need to allow a non-root user to run a couple of system commands and would like to use a setuid C wrapper binary.  I have searched over the 'net and have found the following sample code.  Unfortunately, I get segmentation faults if no command arguments are passed in.   Since I am not a C programmer, I was hoping someone could help me fine-tune the utility.  
>>>>>> 
>>>>>> For some reason, this code requires the "-v" CLI argument.  I would prefer to just pass in the necessary arguments without the "-v".  In addition, if no arguments (or, unknown/invalid args) are passed in, I want the utility to exit immediately.  I want the ability to add additional commands in the future, so I need it to be flexible enough to parse the args instead of writing a single wrapper per external command.
>>>>>> 
>>>>>> Example:
>>>>>> 
>>>>>> #> wrapper my_command
>>>>>> <runs the "my_command" command>
>>>>>> 
>>>>>> #> wrapper another_command
>>>>>> <runs the "another_command" command>
>>>>>> 
>>>>>> #> wrapper 
>>>>>> <exits immediately>
>>>>>> 
>>>>>> #> wrapper -h
>>>>>> <exits immediately - no error output>
>>>>>> 
>>>>>> 
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------------
>>>>>> #include <stdio.h>
>>>>>> #include <sys/types.h>
>>>>>> #include <unistd.h>
>>>>>> #include <signal.h>
>>>>>> #include <strings.h>
>>>>>> #include <stdlib.h>
>>>>>> 
>>>>>> /********************************************
>>>>>> * Inspired by: 
>>>>>> * http://linuxshellaccount.blogspot.com/2007/12/securing-suid-programs-using-simple-c.html *
>>>>>> ********************************************/
>>>>>> 
>>>>>> /* Define global variables */
>>>>>> 
>>>>>> int gid;
>>>>>> 
>>>>>> /* main(int argc, char **argv) - main process loop */
>>>>>> 
>>>>>> int main(int argc, char **argv)
>>>>>> {
>>>>>> 
>>>>>> /* Set uid, gid, euid and egid to root */
>>>>>> 
>>>>>> setegid(0);
>>>>>> seteuid(0);
>>>>>> setgid(0);
>>>>>> setuid(0);
>>>>>> 
>>>>>> if ( strncmp(argv[1], "my_command", 11) == 0 ) {
>>>>>> if (execl("/usr/local/bin/my_command", "my_command", "-v", NULL) < 0) {
>>>>>>    perror("Execl:");
>>>>>> }
>>>>>> } else if ( strncmp(argv[1], "another_command", 15) == 0 ) {
>>>>>> if (execl("/usr/local/bin/another_command", "another_command", "-v", NULL) < 0) {
>>>>>>    perror("Execl:");
>>>>>> }
>>>>>> } else {
>>>>>> exit (1);
>>>>>> }
>>>>>> exit (0);
>>>>>> }
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------------
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Thanks for any help,
>>>>>> 
>>>>>> -Ron
>>>>>> -- 
>>>>>> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
>>>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>>>> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
>>>>>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>>> -- 
>>>>> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
>>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>>> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
>>>>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>> 
>>>> Thanks,
>>>> 
>>>> -Ron
>>>> rkelleyrtp at gmail.com
>>>> 
>>>> -- 
>>>> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
>>>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>> -- 
>>> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
>>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>> 
>> Thanks,
>> 
>> -Ron
>> rkelleyrtp at gmail.com
>> 
>> -- 
>> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
> -- 
> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions

Thanks,

-Ron
rkelleyrtp at gmail.com

More information about the TriLUG mailing list