dimitri@cui.UUCP (KONSTANTAS Dimitri) (02/25/88)
Its been sometime ago that I am puzling myself with the question, "how to drop a group id". As known 4.[123] systems assign to each user process a list of group ids. Can a simple user "drop" one or more of the group memberships in one process? For example, if a user belongs to groups local news research is it possible to create a process that will belong to only, say, local news ? I wonder if any of the Wizards or gurus out there in the net-land knows how and if that can be done! All sugestions are wellcome! Dimitri Konstantas University of Geneva uucp: mcvax!cernvax!cui!dimitri BITNET: dimitri@cgeuge51.bitnet
ji@read.columbia.edu (John Ioannidis) (03/02/88)
I once wrote a pair of system calls that allowed an unprivileged user to
add a group to their list of groups, based on authorization granted by
a setuid root program. Anyway, just removing a group should not ask for
any special authorization, so I guess the easiest way to do it is the following:
Basically, you have to add a simple system call. Let's say you'll
call it rmgroup(), and it will take one numeric argument, the gid to
remove from the list.
TO add a system call, add a declaration for it in
$SYS/sys/init_sysent.c and put it at the end of struct sysent sysent[]
in the same file. You'll also have to include it in syscallnames[] in
file $SYS/sys/syscalls.c.
Now, in $SYS/sys/kern_prot.c there is a function called leavegroup()
which does exaclty what you want. To package it into a syscall, add
the following code in kern_prot.c:
rmgroup()
{
struct a {
long groupname;
} *uap = (struct a *)u.u_ap;
leavegroup(a->groupname);
}
After that, recompile the kernel and you''l be all set. TO call the
rmgrp syscall, just call syscall(SYSCALL_rmgrp, groupid), where
SYSCALL_rmgrp is the number of the system call (you'll know that
because that's where you added it in the struct sysent initially).
I haven't tested the code (obviously), but it's too simple not to
work.
Good luck
/ji
#include <appropriate_disclaimers>
VOICE: +1 212 280 5510 INET: ji@garfield.columbia.EDU
USnail: John Ioannidis kre@munnari.oz (Robert Elz) (03/13/88)
In article <5365@columbia.edu>, ji@read.columbia.edu (John Ioannidis) writes: > Anyway, just removing a group should not ask for > any special authorization, This is a mistake, useful things can be done with bsd groups provided that users can't manipulate them (apart from running a setgid program). Eg: we have a group "solitary" which we occasionally put troublemakers into. A whole bunch of directories are 705 mode, owned by group solitary. This is remarkably effective. kre