Re: ucred when euid/egid

Sun, 29 Nov 2009 13:55:17 -0800 

On Sun, 29 Nov 2009, Clifton Royston wrote:


On Sun, Nov 29, 2009 at 01:19:02PM +0300, Anthony Pankov wrote:


Thank you for reply.

So, seteuid/gid isn't enough to gain group access as for real uid.
But how i can achieve this? What functions should i call from
'theprog' to gain access for the groups euid user belongs to?

May be i solve the problem in wrong way?

The full problem is:

There is a file owned by group filegroup:
 rw-rw----   someone:filegroup    thefile

There is a programs data owned by group proggroup:

 rw-rw----   someone2:proggroup    progdata

I need a program (theprog) that can access 'thefile' and
'progdata' simultaneously. Program can be executed by anyone.


This is a clearer statement of the problem, in terms of what you're
trying to accomplish.

If you can make the program data owned by a special program user, and
require the users of the program to make their files group-accessible
by this special filegroup, then you can do it fairly simply, like this:

Make each users' "thefile" be owned by group filegroup, for example:
 rw-rw----   someone:filegroup    ~someone/thefile
 rw-rw----   someone2:filegroup   ~someone2/thefile
 rw-rw----   someone3:filegroup   ~someone3/thefile
 ...

Make the program's data file owned by *user* proguser:
 rw-rw----   proguser:proggroup    progdata

Now you can make the program setuid proguser/setgid filegroup:
 r-sr-sr-x   proguser:filegroup    theprog

This lets it be executed by any user and access its own data (via the
suid) and the files the users have put into filegroup (via the sgid).



If you can't make progdata owned by proguser, or if more groups are 
needed, you might be able to abuse newgrp(1), which will let you run a 
program with your real and effective gids set to any specified group of 
which your real uid is a member.  This would require, though, that you 
break the code that requires access to those files into separate programs. 
(Though maybe they are as simple as cat'ing a file into a pipe or 
something.)


Example:

setuid(proguser);
FILE *data = popen("echo \"cat progdata\" | newgrp proggroup", "r");
/* read data */

etc.


If your program needs to do something really elaborate with the files that 
can't be factored out into a separate program, you could use newgrp to run 
a program that opens the file and passes its fd over a unix socket.  But 
then it's really becoming a hack. :)


Caution: I haven't tested any of this.

--

Nate Eldredge
n...@thatsmathematics.com
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"






















					Reply via email to