HPE Community
Operating System - HP-UX
1753770 Members
4883 Online
108799 Solutions
New Discussion юеВ

Re: suid script help

 
SOLVED
Go to solution
Belinda Dermody
Super Advisor

тАО10-18-2005 01:37 AM

тАО10-18-2005 01:37 AM

suid script help

I know suid scripts is a security risk, I have a HPUX 11i system, my problem is I need to let the users know that there password is about to expire. I have about 200 users and the 7 day warning is either ignore or they just do not see it. The system goes into a Database Menu system and the users do not get to the Unix prompt (95% of them couldn't spell unix) and when they exit the database I log them off the system. My problem is I am using the /usr/lbin/getprpw and if the results is less than 7 days to display BIGGER Message that they need to contact the HELP DESK to change there password.
I did a 4755 on the script and it starts with a #!/usr/bin/sh but when I test it under my userid it comes back.
Not Superuser
0 Kudos
Reply
12 REPLIES 12
Mel Burslan
Honored Contributor

тАО10-18-2005 01:52 AM

тАО10-18-2005 01:52 AM

Re: suid script help

So, how do you get the number of days left on the password lifetime using the /usr/lbin/getprpw command and what does your script return ? An error code ? if so, what is the error code (aka exit status) ? If no errors, what do you expoect to see that you can not see ?
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Belinda Dermody
Super Advisor

тАО10-18-2005 01:58 AM

тАО10-18-2005 01:58 AM

Re: suid script help

/usr/lbin/getprpw -m exptm
will return
exptm=89 # That is the number of days till expiration.

The script runs fine as root, but when I run it as a user it comes back
Not Superuser on the next line instead of the exptm=89
0 Kudos
Reply
Gary L. Paveza, Jr.
Trusted Contributor

тАО10-18-2005 02:46 AM

тАО10-18-2005 02:46 AM

Re: suid script help

My understanding is that a script cannot be SETUID (it can be set, but it's ignored). Instead, a program can be setuid that a non-root script can execute. We had a requirement that certain users be able to chown/chmod files that they did not own - so we wrote a c program to do it, then setuid it, and called it from a script. Works like a charm.
Reply
Belinda Dermody
Super Advisor

тАО10-18-2005 02:50 AM

тАО10-18-2005 02:50 AM

Re: suid script help

Thanks Gary, but boo hoo, that is not what I was looking for, I can write pretty good scripts in shell and a little perl and with advice from you guys, but C programming is out of my realm and I am too old to learn. I do not want to use sudo because that means they will be putting in there passwd twice within a few seconds and most of the time for no reason for the sudo command.
0 Kudos
Reply
Jean-Luc Oudart
Honored Contributor

тАО10-18-2005 04:53 AM

тАО10-18-2005 04:53 AM

Solution

Re: suid script help

Hi

I would use "C" programming with a little help :
#####################################
#include
#include

#define SCRIPT "/usr/local/bin/security/yourscript.sh "

main (argc,argv)
char **argv;
int argc;
{
int i;
char comm[200];
(void)strcat(comm,SCRIPT);
/* printf("commande : %s\n",comm); */
/* printf("nb arg : %d\n",argc); */
for(i=1; i < argc ; i++) {
(void)strcat(comm,argv[i]);
(void)strcat(comm," ");
}
/* printf("commande : %s\n",comm); */
system(comm);
}
######################################
compile this program (as root)
cc pgm.c -o pgm
mv pgm /usr/local/bin/security/.
(adapt for your directory)
The script is owned by root
with 0700 permission.
the program "pgm" will call the script with relevant parameter.
Please note full path for the script !

the pgm will be owned by root with 4555 permission.

test the script 1st (as root)
Wrapp it

Regards
Jean-Luc
fiat lux
Reply
Robert Fritz
Regular Advisor

тАО10-19-2005 05:12 AM

тАО10-19-2005 05:12 AM

Re: suid script help

One problem with the proposed c-program... it gives everyone on the system root priv. (on most systems this is not the intent)

Here is the demonstration(my 0700 script just echos "hi"):

I compiled the program:
# cc pgm.c -o pgm
# su fritzr
$ id
uid=13553(fritzr) gid=778(security)
$ ./rootgift ';id'
hi
uid=13553(fritzr) gid=778(security) euid=0(root)

Substitute "id" with "rm -rf *" and an arbitrary user has just wiped your system.

There are two problems with the program: #1, unchecked buffer, #2 (the easier exploit), unchecked execution of arbitrary user arguments at elevated privilege.

I'd suggest the following instead:

#####################################

main ()
{
setreuid(0,0);
system("/usr/lbin/getprpw -m exptm `id -nu`");
}
######################################
compile this program (as root)
cc daysleft.c -o daysleft
mv daysleft
Then make a script
with 0555 permission that runs pgm and parses the output.

daysleft will be owned by root with 4555 permission.

The reasons this *doesn't* create a security hole:
1) There is no unchecked buffer to overflow, and
2) there is no untrusted input run by a privileged program
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Reply
A. Daniel King_1
Super Advisor

тАО10-20-2005 04:29 AM

тАО10-20-2005 04:29 AM

Re: suid script help

There is always a risk with SUID:

PATH=/tmp:$PATH ;
echo ksh > /tmp/id ;
chmod 700 /tmp/id ;
./daysleft

Instant root shell.
Command-Line Junkie
Reply
Robert Fritz
Regular Advisor

тАО10-20-2005 04:38 AM

тАО10-20-2005 04:38 AM

Re: suid script help

Fair enough... I failed to specify the full path... guess I was typing too fast. Substitute /usr/bin/id for id to close the hole.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
A. Daniel King_1
Super Advisor

тАО10-20-2005 04:59 AM

тАО10-20-2005 04:59 AM

Re: suid script help

You'll still need some date math. exptm lists only the password expiration period. I like GNU date (gdate) to do this in shell scripts, but there are scripts which will do similar things. The following uses gdate, and does not use getprpw ...

#!/usr/bin/ksh

PATH=/usr/bin:/usr/local/bin

exptime=$(grep u_exp /tcb/files/auth/$(echo $LOGNAME | sed "s/^\(.\).*$/\1/")/$LOGNAME | sed "s/.*u_exp#\([^:]*\).*$/\1/")
chgtime=$(grep u_succhg /tcb/files/auth/$(echo $LOGNAME | sed "s/^\(.\).*$/\1/")/$LOGNAME | sed "s/.*u_succhg#\([^:]*\).*$/\1/")

expires_on=$(gdate -d "January 1, 1970 $chgtime seconds $exptime seconds" +%Y%m%d)
expires_less_seven_days=$(gdate -d "$expires_on 7 days ago" +%Y%m%d)
today=$(gdate +%Y%m%d)

echo Expires $expires_on, less seven days $expires_less_seven_days v $today $((expires_on-$today)) ...

if [ $today -ge $expires_less_seven_days ]
then
echo "Your password is expiring soon!"
exit 1
else
echo "No password change coming this week."
fi

exit 0
Command-Line Junkie
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.