Xref: utzoo comp.unix.xenix:4735 comp.sys.ibm.pc:24039 Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!cwjcc!hal!nic.MR.NET!csd4.milw.wisc.edu!bionet!ames!amdcad!sun!pitstop!sundc!seismo!uunet!ccicpg!turnkey!conexch!root From: root@conexch.UUCP (Larry Dighera) Newsgroups: comp.unix.xenix,comp.sys.ibm.pc Subject: Re: HELP!! Summary: Change the permissions on the port, edit /etc/ttys, & init q Message-ID: <21372@conexch.UUCP> Date: 31 Jan 89 20:06:14 GMT References: <6932@killer.DALLAS.TX.US> Reply-To: root@conexch.UUCP (Larry Dighera) Followup-To: comp.unix.xenix Organization: The Consultants' Exchange, Orange County, CA. (714) 842-6348 Lines: 125 In article <6932@killer.DALLAS.TX.US> barton@killer.DALLAS.TX.US (Barton Fisk) writes: >I need a user to be able to run a shell script to disable a serial >line for dial out. > >If anyone can help me do this without having to become root, I >would greatly appreciate the help. > >Also, when I tried to invoke ungetty from the script before >calling in my comm prog, the getty refused to be suspended and >upon trying to dial-out afterwards the message "DIALOUT is on >tty1A" was produced. > >Thanks again for any suggestions. > > >Barton A. Fisk There are many approaches that can be used to accomplish this. Most of them will require that you trust the user of the communications program to some extent. Given that the files in question have the following default permissions: -rwsr-xr-x 1 lp bin 19500 May 16 1988 /bin/disable -rwsr-xr-x 1 lp bin 14932 May 16 1988 /bin/enable crw-r----- 1 uucp uucp 5,128 Jan 31 11:54 /dev/tty1A -rw-rw-r-- 1 root root 304 Jan 31 10:59 /etc/ttys you could put the communications program user in a unique group during the communications session with the newgrp command, and have the group on the above files set to that group. This is probably the simplest. The program below will allow users to run execute-only shell scripts as though they were root. So, if you put the disable command (and any other necessary commands) in a small shell script and call that script as an argument to exonly, it should work. You can use group permissions to limit the accessibility of exonly to trusted users. On the other hand, depending on security considerations on the system, you may find this approach unacceptable. Larry Dighera =========================== exonly.c begins ============================= /* * exonly.c * Author: Stephen Kochan * exonly opens the (execute-only) shell program, * given as the first argument, onto * standard input and executes the shell. * * exonly must be SUID to the owner * of the shell program or root. * * * This source is based on the listing in the June '87 issue of * UNIX/WORLD Magizine, pp 95. Entered by Larry Dighera * The Consultants' Exchange BBS (714) 842-6348/5851. */ #include main (argc, argv) int argc; char *argv[]; { /* * Check number of arguments. If < 2, no file * was specified, so generate error message and exit. */ if (argc < 2) { fprintf (stderr, "exonly: needs file\n"); exit (1); } /* * Check accessibility of shell program by REAL uid. */ if (access (argv[1], 1) == -1) { fprintf (stderr, "exonly: cannot execute %s\n",argv[1]); exit (2); } /* * Close standard inpput and re-open with first argument. * Generate error message if file can't be opened. */ close (0); if (open (argv[1], 0) < 0) { fprintf (stderr, "exonly: cannot open %s\n", argv[1]); exit (3); } /* * Turn off setuid/setgid capability now that file is open. */ /* * (You may want to comment this out depending on the necessity * for your user to have an effective id of root to run * the necessary commands.) */ setgid (getgid ()); setuid (getuid ()); /* * Set up argument list to /bin/sh. */ argv[0] = "/bin/sh"; argv[1] = "-s"; /* reads shell script from stdin */ /* * exec /bin/sh with -s option. Pass any arguments * along in the argv list. Print error message * if we can't exec /bin/sh. */ execv ("/bin/sh", argv); fprintf (stderr, "exonly: cannot exec /bin/sh\n"); exit (4); } =========================== exonly.c ends ============================= -- USPS: The Consultants' Exchange, PO Box 12100, Santa Ana, CA 92712 TELE: (714) 842-6348: BBS (N81); (714) 842-5851: Xenix guest account (E71) UUCP: conexch Any ACU 2400 17148425851 ogin:-""-ogin:-""-ogin: nuucp UUCP: ...!uunet!turnkey!conexch!root || ...!trwrb!ucla-an!conexch!root