ratazzie@lonex.radc.af.mil (E. Paul Ratazzi) (05/15/91)
I have checked the FAQ and RTFM'ed on this one. It seems like it should be easy, but I'm having one heck of a time. OS: SunOS 4.1.1 Problem: When a user executes our CAD software, I want all files he creates while in the CAD software to have a group id of 'cad'. Since these users are normally members of 'staff', the group id has to be changed before the CAD software is executed. I have found that this can be done manually (and painfully) by typing 'newgrp cad' and then starting the CAD software. What I would like is this group change to be automatic. I have tried everything I can think of from putting 'newgrp cad' in the csh script (doesn't work because newgrp *always* gives another csh) to writing a C code front end which calls setregid and then runs the script using execve (doesn't work because the fact that I'm in sunview gets lost somewhere along the line and the CAD software won't run without sunview). Any assistance would be greatly appreciated. TIA, -- E. Paul Ratazzi | ratazzie@lonex.radc.af.mil Microelectronics Reliability Division | COMPMAIL: e.ratazzi Rome Laboratory (USAF/AFSC) | (315) 330-2946 "Exploring the Invisible Frontier" | DSN 587-2946
weimer@garden.ssd.kodak.com (Gary Weimer (253-7796)) (05/15/91)
In article <1991May14.182305.13872@lonex.radc.af.mil>, ratazzie@lonex.radc.af.mil (E. Paul Ratazzi) writes: |> I have checked the FAQ and RTFM'ed on this one. It seems like it should |> be easy, but I'm having one heck of a time. |> |> OS: SunOS 4.1.1 |> |> Problem: When a user executes our CAD software, I want all files he |> creates while in the CAD software to have a group id of 'cad'. |> Since these users are normally members of 'staff', the group id has to |> be changed before the CAD software is executed. I have found that this |> can be done manually (and painfully) by typing 'newgrp cad' and then |> starting the CAD software. |> |> What I would like is this group change to be automatic. I have tried |> everything I can think of from putting 'newgrp cad' in the csh script |> (doesn't work because newgrp *always* gives another csh) to writing a |> C code front end which calls setregid and then runs the script using |> execve (doesn't work because the fact that I'm in sunview gets lost |> somewhere along the line and the CAD software won't run without sunview). How about doing: example% chgrp cad <script> example% chmod g+s <script> (assuming <script> is the script that is being run) This will change the group of the script to 'cad' and then set the group id on execution. weimer@ssd.kodak.com ( Gary Weimer )
tchrist@convex.COM (Tom Christiansen) (05/16/91)
From the keyboard of ratazzie@lonex.radc.af.mil (E. Paul Ratazzi): :I have checked the FAQ and RTFM'ed on this one. It seems like it should :be easy, but I'm having one heck of a time. : :OS: SunOS 4.1.1 : :Problem: When a user executes our CAD software, I want all files he :creates while in the CAD software to have a group id of 'cad'. :Since these users are normally members of 'staff', the group id has to :be changed before the CAD software is executed. I have found that this :can be done manually (and painfully) by typing 'newgrp cad' and then :starting the CAD software. Hmm... I'd thing a setgid front-end C program would work, but you said it didn't, so barring that.... Sun caved into the evil Death Star on this one, but there are plenty of ways to make it right. Do you want this no matter what directory they're in? If not, why don't you either mount the stuff with the grpid mount/fstab option, and/or make the directory setgid cad? This way you'd get reasonable group-ownership semantics for created files for a change. Or you can make a one shot setuid root binary that can be used to setgid its calling process to group cad via a poke at /dev/mem. [ Now, I wonder which of the preceding two paragraphs are going to get more people upset. :-) ] --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."
tchrist@convex.COM (Tom Christiansen) (05/16/91)
From the keyboard of weimer@ssd.kodak.com:
:example% chgrp cad <script>
:example% chmod g+s <script>
:
:(assuming <script> is the script that is being run)
:
:This will change the group of the script to 'cad' and then set the group
:id on execution.
Because if it works as you want it to work (and won't on all systems),
then it will in all likelihood also allow anyone who cares to bother to
execute any arbitrary command as group cad, including:
cp /bin/sh /tmp/cad
chmod g+s /tmp/cad
Perhaps this doesn't bother you. It would bother me.
Why should this be, you ask? Because this is one of those lurking
security holes that few vendors if any have ever bothered to fix or to
tell their customers about. On most systems that support them, a suid
script allows you to execute arbitrary commands under that uid, and a g+s
script does the same for that gid. Never have such on your system
unless you can prove that you don't have the bug: inspection of the
kernel code for execve() is usually enough to tell. If your system
doesn't have /dev/fd's, I doubt whether it's fixed.
--tom
--
Tom Christiansen tchrist@convex.com convex!tchrist
"So much mail, so little time."