paul@frcs.UUCP (Paul Nash) (04/19/91)
I recently hacked up a fairly trivial enhancer for `su', that allows members of group `wheel' to su at will _without_ needing the root password. Use it at your own risk, and distribute it to whom you will. You may _not_ sell this code -- it must be given away for free. To install, `cc -o sux -O sux.c', `chown root sux', `chmod u+s sux'. ---- cut here ---- cut here ---- cut here ---- /* ** A simple `su' enhancer. This gets the uid of the user, thence ** the name, checks whether they are in group `wheel', and if so ** sets the euid to 0. If not, leave euid alone. After all of this, ** it execs `su' with all the command line options. ** ** This program must be owned by, and setuid to `root'. ** ** Copyright (C) Free Range Computer Systems CC, 1991. ** ** You may distrubute this code at will, provided that you do not ** _sell_ it, and leave this copyright notice unchanged. */ static char *copyright = "Copyright (C) Free Range Computer Systems CC, 1991."; static char *rcs_id = "$Header: /u/src/utils/RCS/sux.c,v 1.2 91/04/19 11:49:27 src Exp $"; /* * $Log: sux.c,v $ * Revision 1.2 91/04/19 11:49:27 src * removed unnecessary check for `**group->gr_mem == '\0''. The `group' * entry ends with `*group->gr_mem == NULL', as it should. * * Revision 1.1 91/04/19 11:48:18 src * Initial revision * */ #include <pwd.h> #include <grp.h> #include <stdio.h> #include <string.h> struct group *getgrnam(); #define PRIV_GRP "wheel" #define SU "/bin/su" #define TRUE ( 1 == 1 ) #define FALSE ( ! TRUE ) main( argc, argv ) int argc; char *argv[]; { unsigned int uid, priviledged; unsigned char *userid; struct passwd *passwd; struct group *group; uid = getuid(); passwd = getpwuid( uid ); group = getgrnam( PRIV_GRP ); if ( passwd == NULL || group == NULL ) { fprintf( stderr, "cannot read password or group files, aborting\n" ); exit( 1 ); } priviledged = FALSE; while ( *group->gr_mem != NULL ) { if ( strcmp( passwd->pw_name, *group->gr_mem++ ) == 0 ) { priviledged = TRUE; break; } } if ( ! priviledged ) { setuid( uid ); } else { setuid( 0 ); } execv( SU, argv ); fprintf( stderr, "It seems that %s doesn't exist: sorry\n", SU ); } ---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=---=--- Paul Nash Free Range Computer Systems cc paul@frcs.UUCP ...!uunet!m2xenix!frcs!paul
peltz@cerl.uiuc.edu (Steve Peltz) (04/26/91)
In article <462@frcs.UUCP> paul@frcs.UUCP (Paul Nash) writes: >I recently hacked up a fairly trivial enhancer for `su', that allows >members of group `wheel' to su at will _without_ needing the root >password. su on our system requires the real uid to be root to avoid being asked for a password, so your program won't work. However, in those cases where it WILL work, wouldn't the following one-line shell script do just as well? Maybe there's a reason; maybe the "groups" command is Sun specific or something... Don't forget to change it to be owned by root and setuid and executable... Sorry - not in shar format; why put in an extra 20 lines to wrap 2? #!/bin/sh groups | grep -s wheel && su $* || echo Sorry -- Steve Peltz Internet: peltz@cerl.uiuc.edu PLATO/NovaNET: peltz/s/cerl
lael@triton.unm.edu (Lael) (04/26/91)
In article <1991Apr25.174534.13912@ux1.cso.uiuc.edu> peltz@cerl.uiuc.edu (Steve Peltz) writes: >In article <462@frcs.UUCP> paul@frcs.UUCP (Paul Nash) writes: >>I recently hacked up a fairly trivial enhancer for `su', that allows >>members of group `wheel' to su at will _without_ needing the root >>password. > >su on our system requires the real uid to be root to avoid being asked for >a password, so your program won't work. However, in those cases where it >WILL work, wouldn't the following one-line shell script do just as well? >Maybe there's a reason; maybe the "groups" command is Sun specific or >something... > >Don't forget to change it to be owned by root and setuid and executable... (rest of post deleted) If you do this, you are making a big mistake, and opening up a root-sized security hole. Probably not a very good idea. (never never never EVER EVER make a shell script setuid anyone, especially root)
prl@iis.ethz.ch (Peter Lamb) (04/26/91)
peltz@cerl.uiuc.edu (Steve Peltz) writes: >WILL work, wouldn't the following one-line shell script do just as well? N O O O O O O O O !!!!!! >Maybe there's a reason; maybe the "groups" command is Sun specific or >something... No. >Don't forget to change it to be owned by root and setuid and executable... If I can execute a setuid root script I can become root (independent of its contents). So can a very large range of other people. Some of them not friendly enough to warn you about it. >Sorry - not in shar format; why put in an extra 20 lines to wrap 2? >#!/bin/sh >groups | grep -s wheel && su $* || echo Sorry Don't do it ! Don't install this script. Don't make it set{uid,gid}. Setuid shell scripts are security holes! -- Peter Lamb uucp: uunet!mcsun!ethz!prl eunet: prl@iis.ethz.ch Tel: +411 256 5241 Integrated Systems Laboratory ETH-Zentrum, 8092 Zurich