frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo) (07/07/89)
I'm trying to set up a program so that is executable only by members of a certain group. This group, however, is generally NOT the group that its members login to. I thought I could set the mode to say 750 and then use newgrp. This works when typed directly in, but doesn't work in a shell script. Apparently newgrp spawns a new shell so that the commands following it are never executed. Can I work around this, or is there another way to accomplish what I want? I'm working with an HP9000/840 running HP-UX3.01 (SysVish). Thanks, Frank frank@hpuxa.ircc.ohio-state.edu
peter@ficc.uu.net (Peter da Silva) (07/07/89)
In article <164@nisca.ircc.ohio-state.edu>, frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo) writes: > Apparently newgrp spawns a new shell so that the > commands following it are never executed. Here's my solution... it's an equivalent of 'su' for groups (where newgrp is an equivalent of login for groups). A quick hack, but very useful. The games with errno were needed to keep spurious error messages here and there from confusing our users. status==1 implies a system error, status==2 implies a user error. /* grp group command... * * Execute "command" with gid=="group". */ #include <stdio.h> #include <grp.h> #include <pwd.h> #include <errno.h> main(ac, av) int ac; char **av; { struct passwd *passwd, *getpwuid(); struct group *group, *getgrnam(); extern int errno; int i; if(ac < 3) { fprintf(stderr, "Usage: grp group command...\n"); exit(2); } errno = 0; if((passwd = getpwuid(getuid())) == 0) { if(errno == 0 || errno == ENOTTY) /* Yes, /etc/passwd is not a tty */ fprintf(stderr, "/etc/passwd: No entry for uid\n"); else perror("/etc/passwd"); exit(1); } errno = 0; if((group = getgrnam(av[1])) == 0) { if(errno == 0 || errno == ENOTTY) /* yes, etc/group is not a tty */ fprintf(stderr, "%s: No such group\n", av[1]); else perror("/etc/group"); exit(1); } for(i = 0; group->gr_mem[i]; i++) if(strcmp(group->gr_mem[i], passwd->pw_name) == 0) break; if(group->gr_mem[i] == 0) { fprintf(stderr, "%s: Not in group.\n", av[1]); exit(1); } setgid(group->gr_gid); setuid(getuid()); errno = 0; execvp(av[2], &av[2]); perror("grp: exec"); } -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: peter@ficc.uu.net, +1 713 274 5180. | "Arrrrggggh! Personal: peter@sugar.hackercorp.com. `-_-' | Electronic mail sucks eggs." Quote: Have you hugged your wolf today? 'U` | -- eugene miya
paul@prcrs.UUCP (Paul Hite) (07/07/89)
In article <164@nisca.ircc.ohio-state.edu>, frank@hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo) writes: > I'm trying to set up a program so that is executable only by members of > a certain group. This group, however, is generally NOT the group that > its members login to. I thought I could set the mode to say 750 and > then use newgrp. This works when typed directly in, but doesn't work > in a shell script. Within a System V environment, you can execute commands by sending them into the shell spawned by newgrp like this: Script started on Fri Jul 7 10:40:34 1989 $ uname -a HP-UX prcrs A.B3.10 D 9000/850 0 $ id uid=2007(paul) gid=9(sysadm) $ echo id | (newgrp cms) uid=2007(paul) gid=58(cms) $ script done on Fri Jul 7 10:41:38 1989 The idea is to execute newgrp in a subshell and redirect stdin of the subshell to be some commands to be executed. > I'm working with an HP9000/840 running HP-UX3.01 (SysVish). While hp-ux is indeed SysVish, it can also be BSDish and this gives you another option. It's somewhat hidden in TFM, but there is a file supported called "/etc/logingroup". It's like /etc/group except that you can be a member of many groups at one time. Your group from /etc/passwd is always used for the group of any files created and newgrp does change this. But we have linked /etc/logingroup to /etc/group and so our users have access to all their groups at once. Paul Hite PRC Realty Systems McLean,Va uunet!prcrs!paul (703) 556-2243 DOS is a four letter word!