Path: utzoo!attcan!uunet!snorkelwacker!usc!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!haven!umbc3!bernie From: bernie@umbc3.UMBC.EDU (Bernard J. Duffy) Newsgroups: comp.sys.sgi Subject: Re: 3.3.1 questions & complaints Summary: suid program for a "command" Keywords: suid mount umount root Message-ID: <4034@umbc3.UMBC.EDU> Date: 27 Sep 90 23:05:06 GMT References: <1990Sep26.174852.1344@ux1.cso.uiuc.edu> Reply-To: bernie@umbc3.umbc.edu.UMBC.EDU (Bernard J. Duffy) Organization: University of Maryland Baltimore County Lines: 86 In article <1990Sep26.174852.1344@ux1.cso.uiuc.edu> wsherman@newton.ncsa.uiuc.edu (William Sherman -Visualization) writes: ... (X stuffs deleted) > >Okay, my first complaint is about something I'm sure SGI considers >a "feature." I have some shell scripts to mount and unmount nfs'ed >disks to allow me to adapt to network problems, and machines going >down. Of course only the superuser can do this, so the scripts are >owned by root, and the setuid bit is set. Well, under 3.3.1, I'm >informed that "mount_x: Setuid shell scripts not allowed." Is there >anything I can do to allow them? If not, there should be. > ... other stuffs deleted... > >/* Bill Sherman National Center for Supercomputing Applications */ >/* University of Illinois Champaign-Urbana */ Bill, I've been told that suid scripts are dangerous, so I put my {,u}mount command for an optical drive (have to change platters from time to time). The program is real simple and I've over-commented it below. I needed to use getgid() to restrict use to the group of users that owned the optical drive. Other command(s) could be enveloped in this manner. Here's the program : /* cut here ...... */ /* moptical.c - Allow someone of the groupS group to become root and execute the /etc/mount /chem2/optical (or /etc/umount /chem2/optical if executed with uoptical softlink) command without the hassle of typing in the root passwd (or even knowing it). Author: Bernie Duffy, Academic Computing Date: Jan. 19, 1990 To install it: (Executible must, of course, be suid.) ! on chem3 cd /usr/local/grps/src/moptical newgrp groupS cc moptical.c -o /usr/local/grps/bin/moptical cd /usr/local/grps/bin ln -s /usr/local/grps/bin/moptical uoptical chmod 4750 moptical # ls -l /usr/local/grps/bin/*opt* -rwsr-x--- 1 root groupS 42664 Jan 19 17:50 moptical* l--------- 1 root groupS 28 Jan 19 17:51 uoptical@ -> /usr/local/grps/bin/moptical */ #include #define GROUPID 30 #define GROUPNAME "groupS" #define DISKPARTITION "/chem2/optical" main (argc,argv) int argc; char **argv; { if (getgid() != GROUPID && getuid() != 0) { fprintf(stderr, "You don't belong to the %s group, sorry.\n", GROUPNAME); exit(0); } printf ("Please wait... "); setuid(0); if ( strncmp (argv[0], "moptical", 8) == 0 ) { printf("Mounting %s : mount -c %s\n", DISKPARTITION, DISKPARTITION); execlp("/etc/mount", "mount", "-c", DISKPARTITION, (char *) 0); } else { printf("Un-mounting %s : umount %s\n", DISKPARTITION, DISKPARTITION); execlp("/etc/umount", "umount", DISKPARTITION, (char *) 0); } perror(argv[0]); exit(0); } /* end of moptical.c program. execlp() will only return if there is a permission or process creation error... that's the only way exit(0); will get called. */ -- Bernie Duffy Systems Programmer II | Bitnet : BERNIE@UMBC2 Academic Computing Services - L005e | Internet : BERNIE@UMBC2.UMBC.EDU Univ. of Maryland Baltimore County | UUCP : ...!uunet!umbc3!bernie Baltimore, MD 21228 (U.S.A.) | W: (301) 455-3231 H: (301) 744-2954