[TriLUG] Help with setuid C wrapper script
Clay Stuckey
cstuckey at govsg.com
Sun Oct 10 11:05:13 EDT 2010
It works the same. Google sudo tutorial. If you need specific syntax, I can look it up. Trust me, this is a good way to achieve your goal.
--
Clay Stuckey
(843) 469-5467
cstuckey at govsg.com
claystuckey at gmail.com
On Oct 10, 2010, at 10:51 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
> Appreciate the info, but this is not what I want. I don't want the user added to the wheel group. I just want a single user to be able to tail the /var/log/messages (and other log) files.
>
>
> -Ron
>
>
>
> On Oct 10, 2010, at 10:43 AM, Clay Stuckey wrote:
>
>> %wheel ALL=(ALL) NOPASSWD: ALL
>>
>> Add the user to the wheel group. This gives all root commands. You may consider restricting their access to the specific commands.
>>
>> --
>> Clay Stuckey
>> (843) 469-5467
>> cstuckey at govsg.com
>> claystuckey at gmail.com
>>
>> On Oct 10, 2010, at 10:35 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
>>
>>> What is the syntax in your /etc/sudoers file?
>>>
>>>
>>>
>>> On Oct 10, 2010, at 10:30 AM, Clay Stuckey wrote:
>>>
>>>> Sudo is fine for that. It gives you root privileges. Ownership will not be an issue. I'm not sure what you did but it works great for me without a password.
>>>>
>>>> --
>>>> Clay Stuckey
>>>> (843) 469-5467
>>>> cstuckey at govsg.com
>>>> claystuckey at gmail.com
>>>>
>>>> On Oct 10, 2010, at 9:53 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
>>>>
>>>>> In this specific case, I need a specific (non-root) user to run the commands "tail -100 /var/log/messages" and "tail -50 /var/log/secure" without requiring a password prompt. Since the messages and sure files are not viewable by non-root users, sudo will not help here. I tried various incantations of sudo to make this work and had to resort to a wrapper script instead. In addition, I want a wrapper that I can use to expand the command set without mucking with sudo.
>>>>>
>>>>>
>>>>> -Ron
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Oct 10, 2010, at 9:30 AM, Clay Stuckey wrote:
>>>>>
>>>>>> Why use C when sudo is designed for just that?
>>>>>>
>>>>>> --
>>>>>> Clay Stuckey
>>>>>> (843) 469-5467
>>>>>> cstuckey at govsg.com
>>>>>> claystuckey at gmail.com
>>>>>>
>>>>>> On Oct 10, 2010, at 9:04 AM, "Ron Kelley" <rkelleyrtp at gmail.com> wrote:
>>>>>>
>>>>>>> Greetings all,
>>>>>>>
>>>>>>> I need to allow a non-root user to run a couple of system commands and would like to use a setuid C wrapper binary. I have searched over the 'net and have found the following sample code. Unfortunately, I get segmentation faults if no command arguments are passed in. Since I am not a C programmer, I was hoping someone could help me fine-tune the utility.
>>>>>>>
>>>>>>> For some reason, this code requires the "-v" CLI argument. I would prefer to just pass in the necessary arguments without the "-v". In addition, if no arguments (or, unknown/invalid args) are passed in, I want the utility to exit immediately. I want the ability to add additional commands in the future, so I need it to be flexible enough to parse the args instead of writing a single wrapper per external command.
>>>>>>>
>>>>>>> Example:
>>>>>>>
>>>>>>> #> wrapper my_command
>>>>>>> <runs the "my_command" command>
>>>>>>>
>>>>>>> #> wrapper another_command
>>>>>>> <runs the "another_command" command>
>>>>>>>
>>>>>>> #> wrapper
>>>>>>> <exits immediately>
>>>>>>>
>>>>>>> #> wrapper -h
>>>>>>> <exits immediately - no error output>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------------------------------------------------------------------------
>>>>>>> #include <stdio.h>
>>>>>>> #include <sys/types.h>
>>>>>>> #include <unistd.h>
>>>>>>> #include <signal.h>
>>>>>>> #include <strings.h>
>>>>>>> #include <stdlib.h>
>>>>>>>
>>>>>>> /********************************************
>>>>>>> * Inspired by:
>>>>>>> * http://linuxshellaccount.blogspot.com/2007/12/securing-suid-programs-using-simple-c.html *
>>>>>>> ********************************************/
>>>>>>>
>>>>>>> /* Define global variables */
>>>>>>>
>>>>>>> int gid;
>>>>>>>
>>>>>>> /* main(int argc, char **argv) - main process loop */
>>>>>>>
>>>>>>> int main(int argc, char **argv)
>>>>>>> {
>>>>>>>
>>>>>>> /* Set uid, gid, euid and egid to root */
>>>>>>>
>>>>>>> setegid(0);
>>>>>>> seteuid(0);
>>>>>>> setgid(0);
>>>>>>> setuid(0);
>>>>>>>
>>>>>>> if ( strncmp(argv[1], "my_command", 11) == 0 ) {
>>>>>>> if (execl("/usr/local/bin/my_command", "my_command", "-v", NULL) < 0) {
>>>>>>> perror("Execl:");
>>>>>>> }
>>>>>>> } else if ( strncmp(argv[1], "another_command", 15) == 0 ) {
>>>>>>> if (execl("/usr/local/bin/another_command", "another_command", "-v", NULL) < 0) {
>>>>>>> perror("Execl:");
>>>>>>> }
>>>>>>> } else {
>>>>>>> exit (1);
>>>>>>> }
>>>>>>> exit (0);
>>>>>>> }
>>>>>>> ---------------------------------------------------------------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks for any help,
>>>>>>>
>>>>>>> -Ron
>>>>>>> --
>>>>>>> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
>>>>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>>>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
>>>>>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>>>> --
>>>>>> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
>>>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
>>>>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Ron
>>>>> rkelleyrtp at gmail.com
>>>>>
>>>>> --
>>>>> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
>>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
>>>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>> --
>>>> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
>>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>>
>>> Thanks,
>>>
>>> -Ron
>>> rkelleyrtp at gmail.com
>>>
>>> --
>>> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
>>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>> --
>> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
>> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> Thanks,
>
> -Ron
> rkelleyrtp at gmail.com
>
> --
> This message was sent to: Clay Stuckey <cstuckey at govsg.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/cstuckey%40govsg.com
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
More information about the TriLUG
mailing list