|
Home > Archive > Unix Programming > May 2004 > access control.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| KIRAN MN 2004-05-12, 6:39 am |
| Hi,
My os is Aix-4.3.2. C compiler is 6.1.0.0.
i have a commercial software sitting in directroy "dir".
dir/a
dir/b
dir/c
a,b and c are executables. In this say "a" is a GUI that in tern
calls
b and c
while running. I don't want users to execute dir/a directly, I
want then to use some program to access dir/a .This program
while
running it will create temporary files and output files.
If i write a set-uid program to access control this, then
temporary
files
that gets created will be in effective user id.
What i want is users must execute dir/a through a purticular
program,they are not allowed to run directly setting path,
while
running their effective uid must be equal to real uid(This is
for
temporary files that gets created).
Is there any method to acheive this?
Please help me
Thanking you,
regards,
kiran
| |
| Eric Sosman 2004-05-12, 10:38 am |
| KIRAN MN wrote:
> Hi,
>
>
> My os is Aix-4.3.2. C compiler is 6.1.0.0.
> i have a commercial software sitting in directroy "dir".
> dir/a
> dir/b
> dir/c
>
> a,b and c are executables. In this say "a" is a GUI that in tern
> calls
> b and c
> while running. I don't want users to execute dir/a directly, I
> want then to use some program to access dir/a .This program
> while
> running it will create temporary files and output files.
>
> If i write a set-uid program to access control this, then
> temporary
> files
> that gets created will be in effective user id.
>
> What i want is users must execute dir/a through a purticular
> program,they are not allowed to run directly setting path,
> while
> running their effective uid must be equal to real uid(This is
> for
> temporary files that gets created).
>
> Is there any method to acheive this?
Could the "launch" program create and open the temporary
files before switching IDs and exec()ing dir/a? That is,
can you get dir/a to use already-open file descriptors instead
of opening new ones for itself?
--
Eric.Sosman@sun.com
| |
| Rich Gibbs 2004-05-12, 4:58 pm |
| KIRAN MN said the following, on 05/12/04 06:34:
> Hi,
>
>
> My os is Aix-4.3.2. C compiler is 6.1.0.0.
> i have a commercial software sitting in directroy "dir".
> dir/a
> dir/b
> dir/c
>
> a,b and c are executables. In this say "a" is a GUI that in tern
> calls
> b and c
> while running. I don't want users to execute dir/a directly, I
> want then to use some program to access dir/a .This program
> while
> running it will create temporary files and output files.
>
> If i write a set-uid program to access control this, then
> temporary
> files
> that gets created will be in effective user id.
>
> What i want is users must execute dir/a through a purticular
> program,they are not allowed to run directly setting path,
> while
> running their effective uid must be equal to real uid(This is
> for
> temporary files that gets created).
>
> Is there any method to acheive this?
> Please help me
>
In general, yes. Most Unix/Linux versions have the "Saved SetUID"
feature (_POSIX_SAVED_IDS is true). I don't have access to AIX docs,
but this has been around since SysVR4 and BSD4.3+, so I expect it's
there; my Debian Woody box has it. This allows you to drop a
privileged ID, and then to restore it later, if necessary.
man 2 setuid
for the details.
--
Rich Gibbs
rgibbs@his.com
| |
| KIRAN MN 2004-05-13, 1:48 am |
| Eric Sosman <Eric.Sosman@sun.com> wrote in message news:<40A233A5.1060102@sun.com>...
> KIRAN MN wrote:
>
> Could the "launch" program create and open the temporary
> files before switching IDs and exec()ing dir/a? That is,
> can you get dir/a to use already-open file descriptors instead
> of opening new ones for itself?
We don't know in advance what will be the file names of the temporary files.
It keeps changing for each invocation.
regards,
kiran
| |
| KIRAN MN 2004-05-13, 2:36 am |
| Rich Gibbs <rgibbs@REMOVEhis.com> wrote in message news:<40a28abf@news101.his.com>...
> KIRAN MN said the following, on 05/12/04 06:34:
>
> In general, yes. Most Unix/Linux versions have the "Saved SetUID"
> feature (_POSIX_SAVED_IDS is true). I don't have access to AIX docs,
> but this has been around since SysVR4 and BSD4.3+, so I expect it's
> there; my Debian Woody box has it. This allows you to drop a
> privileged ID, and then to restore it later, if necessary.
>
> man 2 setuid
>
> for the details.
yes "Saved setUID" exists in aix, but what is the use. If my setuid
program is
say "entry" and has setuid bit set to user admin. Software executables
say dir/a dir/b and dir/c have execute permission only for "admin".
On executing "entry" program a user becomes root and he will be able
to execute
"dir/a", at this point of time user will be having ruid as same as
user, but euid as "admin". now when dir/a creates files it will be in
owner ship of "admin". I don't want this.
In this where can i use "Saved setUID" feature. If i change euid
before invoking
dir/a then i will be not able to invoke dir/a.
Please help
regards,
kiran
| |
| Rich Gibbs 2004-05-13, 12:52 pm |
| KIRAN MN said the following, on 05/13/04 02:16:
> Rich Gibbs <rgibbs@REMOVEhis.com> wrote in message news:<40a28abf@news101.his.com>...
>
>
>
> yes "Saved setUID" exists in aix, but what is the use. If my setuid
> program is
> say "entry" and has setuid bit set to user admin. Software executables
> say dir/a dir/b and dir/c have execute permission only for "admin".
>
> On executing "entry" program a user becomes root and he will be able
> to execute
> "dir/a", at this point of time user will be having ruid as same as
> user, but euid as "admin". now when dir/a creates files it will be in
> owner ship of "admin". I don't want this.
>
> In this where can i use "Saved setUID" feature. If i change euid
> before invoking
> dir/a then i will be not able to invoke dir/a.
>
Well, if the 'entry' program needs to start off as 'admin', and you want
the temporary files to be created using the actual user ID, then you are
going to have to switch the effective user ID at some point. It seems
to me that you have two options:
-- Open the files in the 'entry' program, then change EUID before
invoking 'a' and giving it the open file descriptor(s).
-- Invoke 'a' (or 'b' or 'c'), then change the EUID. Obviously this
means each of the programs must be modified.
I really can't make any sensible suggestion about making the choice,
since I don't know what the applications do.
(Note that if 'entry' is suid 'root' then it could create the files,
then 'chown' them to the user. I do NOT recommend doing this unless
there is no other way: the casual proliferation of things that run as
'root' is a Very Bad Idea.)
--
Rich Gibbs
rgibbs@his.com
| |
| Barry Margolin 2004-05-13, 12:52 pm |
| In article <439b2f2e.0405122216.50414862@posting.google.com>,
kiranmn@my-deja.com (KIRAN MN) wrote:
> yes "Saved setUID" exists in aix, but what is the use. If my setuid
> program is
> say "entry" and has setuid bit set to user admin. Software executables
> say dir/a dir/b and dir/c have execute permission only for "admin".
>
> On executing "entry" program a user becomes root and he will be able
He'll become admin, not root.
> to execute
> "dir/a", at this point of time user will be having ruid as same as
> user, but euid as "admin". now when dir/a creates files it will be in
> owner ship of "admin". I don't want this.
>
> In this where can i use "Saved setUID" feature. If i change euid
> before invoking
> dir/a then i will be not able to invoke dir/a.
dir/a should change back to the original uid after it is invoked.
If you can't modify dir/a to do this then I think you're out of luck.
The only other thought I've had is that maybe you can use setGID instead
of setUID. However, this will result in files being created with the
admin group; this might or might not be a problem for you.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
|
|
|
|
|