The problem with the "myChmod approach" is that any user that is able to execute it will also be able to get root access on the system, by using it on password files. The chmod command is not designed to be setuid: if you give it setuid root permissions, you'll be creating an unlimited master key that can bypass *all* the security in your system.
If at all possible, you should avoid setting up setuid-root programs. Perhaps you could create a group, add the users of your application to that group and then make myDir writable by that group only?
But if you absolutely must have your program change the permissions on a directory it does not own, make a small program "chmodMydir" and make it setuid root.
You should design to be as secure as possible, and to do exactly one thing and nothing else: to change the permissions of the specific directory your application needs.
The chmodMydir program should open() the desired directory for reading, then _while holding the opened file descriptor_, it should use fstat() to verify the real name of the directory and that it really is the directory your application needs, not something nasty like a symbolic link to a critical system directory.
If the directory passes the checks, use the fchmod() function on the file descriptor to change the permissions directly within your program.
(The purpose of holding the file descriptor while making the checks is to protect your chmodMydir from race conditions. A malicious user might make chmodMydir run on a symbolic link, then change where the link is pointing to while chmodMydir is running. Holding the file descriptor ensures both the checks and the fchmod() will be operating on the same object, no matter what happens in between.)
The chmodMydir program should check the return code of all the system calls it makes. If there is an error, it should output a descriptive error message (perhaps using perror() or strerror(errno)), and then exit.
It would be best if the chmodMydir program would not have to accept any input from the user directly: a hardcoded directory name would be safest. Reading the directory name from a configuration file that is writeable only by root might also be acceptable *if* you clearly document that the permissions of that configuration file will be critical for system security. If you need to accept the directory name from the command line or from an environment variable, be *extremely* careful in the checking phase.
You should assume any external data can be tampered with in order to overflow the buffers in your program, so use appropriate functions to limit the amount of data you're reading (e.g. use fgets() or strncpy() to read the directory name to your buffer, then make sure it's in fact null-terminated).
With at least these precautions, it *might* be reasonably safe to give your chownMydir program setuid-root permissions. (I'm sure I've forgotten something important: please don't blindly trust me.)
Google for "writing setuid programs" to find lots of other advice for making a program secure enough for setuid-root use.
MK
MK
