paul@frcs.UUCP (Paul Nash) (04/19/91)
I recently hacked up a fairly trivial enhancer for `su', that allows
members of group `wheel' to su at will _without_ needing the root
password. Use it at your own risk, and distribute it to whom you
will. You may _not_ sell this code -- it must be given away for
free.
To install, `cc -o sux -O sux.c', `chown root sux', `chmod u+s sux'.
---- cut here ---- cut here ---- cut here ----
/*
** A simple `su' enhancer. This gets the uid of the user, thence
** the name, checks whether they are in group `wheel', and if so
** sets the euid to 0. If not, leave euid alone. After all of this,
** it execs `su' with all the command line options.
**
** This program must be owned by, and setuid to `root'.
**
** Copyright (C) Free Range Computer Systems CC, 1991.
**
** You may distrubute this code at will, provided that you do not
** _sell_ it, and leave this copyright notice unchanged.
*/
static char *copyright = "Copyright (C) Free Range Computer Systems CC, 1991.";
static char *rcs_id = "$Header: /u/src/utils/RCS/sux.c,v 1.2 91/04/19 11:49:27 src Exp $";
/*
* $Log: sux.c,v $
* Revision 1.2 91/04/19 11:49:27 src
* removed unnecessary check for `**group->gr_mem == '\0''. The `group'
* entry ends with `*group->gr_mem == NULL', as it should.
*
* Revision 1.1 91/04/19 11:48:18 src
* Initial revision
*
*/
#include <pwd.h>
#include <grp.h>
#include <stdio.h>
#include <string.h>
struct group *getgrnam();
#define PRIV_GRP "wheel"
#define SU "/bin/su"
#define TRUE ( 1 == 1 )
#define FALSE ( ! TRUE )
main( argc, argv )
int argc;
char *argv[];
{
unsigned int uid,
priviledged;
unsigned char *userid;
struct passwd *passwd;
struct group *group;
uid = getuid();
passwd = getpwuid( uid );
group = getgrnam( PRIV_GRP );
if ( passwd == NULL || group == NULL ) {
fprintf( stderr, "cannot read password or group files, aborting\n" );
exit( 1 );
}
priviledged = FALSE;
while ( *group->gr_mem != NULL ) {
if ( strcmp( passwd->pw_name, *group->gr_mem++ ) == 0 ) {
priviledged = TRUE;
break;
}
}
if ( ! priviledged ) {
setuid( uid );
}
else {
setuid( 0 );
}
execv( SU, argv );
fprintf( stderr, "It seems that %s doesn't exist: sorry\n", SU );
}
---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---
Paul Nash Free Range Computer Systems cc
paul@frcs.UUCP ...!uunet!m2xenix!frcs!paulpeltz@cerl.uiuc.edu (Steve Peltz) (04/26/91)
In article <462@frcs.UUCP> paul@frcs.UUCP (Paul Nash) writes: >I recently hacked up a fairly trivial enhancer for `su', that allows >members of group `wheel' to su at will _without_ needing the root >password. su on our system requires the real uid to be root to avoid being asked for a password, so your program won't work. However, in those cases where it WILL work, wouldn't the following one-line shell script do just as well? Maybe there's a reason; maybe the "groups" command is Sun specific or something... Don't forget to change it to be owned by root and setuid and executable... Sorry - not in shar format; why put in an extra 20 lines to wrap 2? #!/bin/sh groups | grep -s wheel && su $* || echo Sorry -- Steve Peltz Internet: peltz@cerl.uiuc.edu PLATO/NovaNET: peltz/s/cerl
lael@triton.unm.edu (Lael) (04/26/91)
In article <1991Apr25.174534.13912@ux1.cso.uiuc.edu> peltz@cerl.uiuc.edu (Steve Peltz) writes: >In article <462@frcs.UUCP> paul@frcs.UUCP (Paul Nash) writes: >>I recently hacked up a fairly trivial enhancer for `su', that allows >>members of group `wheel' to su at will _without_ needing the root >>password. > >su on our system requires the real uid to be root to avoid being asked for >a password, so your program won't work. However, in those cases where it >WILL work, wouldn't the following one-line shell script do just as well? >Maybe there's a reason; maybe the "groups" command is Sun specific or >something... > >Don't forget to change it to be owned by root and setuid and executable... (rest of post deleted) If you do this, you are making a big mistake, and opening up a root-sized security hole. Probably not a very good idea. (never never never EVER EVER make a shell script setuid anyone, especially root)
prl@iis.ethz.ch (Peter Lamb) (04/26/91)
peltz@cerl.uiuc.edu (Steve Peltz) writes: >WILL work, wouldn't the following one-line shell script do just as well? N O O O O O O O O !!!!!! >Maybe there's a reason; maybe the "groups" command is Sun specific or >something... No. >Don't forget to change it to be owned by root and setuid and executable... If I can execute a setuid root script I can become root (independent of its contents). So can a very large range of other people. Some of them not friendly enough to warn you about it. >Sorry - not in shar format; why put in an extra 20 lines to wrap 2? >#!/bin/sh >groups | grep -s wheel && su $* || echo Sorry Don't do it ! Don't install this script. Don't make it set{uid,gid}. Setuid shell scripts are security holes! -- Peter Lamb uucp: uunet!mcsun!ethz!prl eunet: prl@iis.ethz.ch Tel: +411 256 5241 Integrated Systems Laboratory ETH-Zentrum, 8092 Zurich