From owner-freebsd-hackers@FreeBSD.ORG Sun Nov 29 21:54:58 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 349221065670 for ; Sun, 29 Nov 2009 21:54:58 +0000 (UTC) (envelope-from nate@thatsmathematics.com) Received: from euclid.ucsd.edu (euclid.ucsd.edu [132.239.145.52]) by mx1.freebsd.org (Postfix) with ESMTP id F03608FC16 for ; Sun, 29 Nov 2009 21:54:57 +0000 (UTC) Received: from zeno.ucsd.edu (zeno.ucsd.edu [132.239.145.22]) by euclid.ucsd.edu (8.11.7p3+Sun/8.11.7) with ESMTP id nATLsvo23784; Sun, 29 Nov 2009 13:54:57 -0800 (PST) Received: from localhost (neldredg@localhost) by zeno.ucsd.edu (8.11.7p3+Sun/8.11.7) with ESMTP id nATLsu617574; Sun, 29 Nov 2009 13:54:56 -0800 (PST) X-Authentication-Warning: zeno.ucsd.edu: neldredg owned process doing -bs Date: Sun, 29 Nov 2009 13:54:55 -0800 (PST) From: Nate Eldredge X-X-Sender: neldredg@zeno.ucsd.edu To: Clifton Royston In-Reply-To: <20091129201340.GA7066@lava.net> Message-ID: References: <20091128120018.16D2C10656C7@hub.freebsd.org> <20091128182803.GA13793@lava.net> <5870478546.20091129131902@mail.ru> <20091129201340.GA7066@lava.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org, Anthony Pankov Subject: Re: ucred when euid/egid X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2009 21:54:58 -0000 On Sun, 29 Nov 2009, Clifton Royston wrote: > On Sun, Nov 29, 2009 at 01:19:02PM +0300, Anthony Pankov wrote: >> >> Thank you for reply. >> >> So, seteuid/gid isn't enough to gain group access as for real uid. >> But how i can achieve this? What functions should i call from >> 'theprog' to gain access for the groups euid user belongs to? >> >> May be i solve the problem in wrong way? >> >> The full problem is: >> >> There is a file owned by group filegroup: >> rw-rw---- someone:filegroup thefile >> >> There is a programs data owned by group proggroup: >> >> rw-rw---- someone2:proggroup progdata >> >> I need a program (theprog) that can access 'thefile' and >> 'progdata' simultaneously. Program can be executed by anyone. > > This is a clearer statement of the problem, in terms of what you're > trying to accomplish. > > If you can make the program data owned by a special program user, and > require the users of the program to make their files group-accessible > by this special filegroup, then you can do it fairly simply, like this: > > Make each users' "thefile" be owned by group filegroup, for example: > rw-rw---- someone:filegroup ~someone/thefile > rw-rw---- someone2:filegroup ~someone2/thefile > rw-rw---- someone3:filegroup ~someone3/thefile > ... > > Make the program's data file owned by *user* proguser: > rw-rw---- proguser:proggroup progdata > > Now you can make the program setuid proguser/setgid filegroup: > r-sr-sr-x proguser:filegroup theprog > > This lets it be executed by any user and access its own data (via the > suid) and the files the users have put into filegroup (via the sgid). If you can't make progdata owned by proguser, or if more groups are needed, you might be able to abuse newgrp(1), which will let you run a program with your real and effective gids set to any specified group of which your real uid is a member. This would require, though, that you break the code that requires access to those files into separate programs. (Though maybe they are as simple as cat'ing a file into a pipe or something.) Example: setuid(proguser); FILE *data = popen("echo \"cat progdata\" | newgrp proggroup", "r"); /* read data */ etc. If your program needs to do something really elaborate with the files that can't be factored out into a separate program, you could use newgrp to run a program that opens the file and passes its fd over a unix socket. But then it's really becoming a hack. :) Caution: I haven't tested any of this. -- Nate Eldredge nate@thatsmathematics.com