cancel
Showing results for 
Search instead for 
Did you mean: 

suid script help

 
SOLVED
Go to solution
Belinda Dermody
Super Advisor

suid script help

I know suid scripts is a security risk, I have a HPUX 11i system, my problem is I need to let the users know that there password is about to expire. I have about 200 users and the 7 day warning is either ignore or they just do not see it. The system goes into a Database Menu system and the users do not get to the Unix prompt (95% of them couldn't spell unix) and when they exit the database I log them off the system. My problem is I am using the /usr/lbin/getprpw and if the results is less than 7 days to display BIGGER Message that they need to contact the HELP DESK to change there password.
I did a 4755 on the script and it starts with a #!/usr/bin/sh but when I test it under my userid it comes back.
Not Superuser
12 REPLIES 12
Mel Burslan
Honored Contributor

Re: suid script help

So, how do you get the number of days left on the password lifetime using the /usr/lbin/getprpw command and what does your script return ? An error code ? if so, what is the error code (aka exit status) ? If no errors, what do you expoect to see that you can not see ?
________________________________
UNIX because I majored in cryptology...
Belinda Dermody
Super Advisor

Re: suid script help

/usr/lbin/getprpw -m exptm
will return
exptm=89 # That is the number of days till expiration.

The script runs fine as root, but when I run it as a user it comes back
Not Superuser on the next line instead of the exptm=89
Gary L. Paveza, Jr.
Trusted Contributor

Re: suid script help

My understanding is that a script cannot be SETUID (it can be set, but it's ignored). Instead, a program can be setuid that a non-root script can execute. We had a requirement that certain users be able to chown/chmod files that they did not own - so we wrote a c program to do it, then setuid it, and called it from a script. Works like a charm.
Belinda Dermody
Super Advisor

Re: suid script help

Thanks Gary, but boo hoo, that is not what I was looking for, I can write pretty good scripts in shell and a little perl and with advice from you guys, but C programming is out of my realm and I am too old to learn. I do not want to use sudo because that means they will be putting in there passwd twice within a few seconds and most of the time for no reason for the sudo command.
Jean-Luc Oudart
Honored Contributor
Solution

Re: suid script help

Hi

I would use "C" programming with a little help :
#####################################
#include
#include

#define SCRIPT "/usr/local/bin/security/yourscript.sh "

main (argc,argv)
char **argv;
int argc;
{
int i;
char comm[200];
(void)strcat(comm,SCRIPT);
/* printf("commande : %s\n",comm); */
/* printf("nb arg : %d\n",argc); */
for(i=1; i < argc ; i++) {
(void)strcat(comm,argv[i]);
(void)strcat(comm," ");
}
/* printf("commande : %s\n",comm); */
system(comm);
}
######################################
compile this program (as root)
cc pgm.c -o pgm
mv pgm /usr/local/bin/security/.
(adapt for your directory)
The script is owned by root
with 0700 permission.
the program "pgm" will call the script with relevant parameter.
Please note full path for the script !

the pgm will be owned by root with 4555 permission.

test the script 1st (as root)
Wrapp it

Regards
Jean-Luc
fiat lux
Robert Fritz
Regular Advisor

Re: suid script help

One problem with the proposed c-program... it gives everyone on the system root priv. (on most systems this is not the intent)

Here is the demonstration(my 0700 script just echos "hi"):

I compiled the program:
# cc pgm.c -o pgm
# su fritzr
$ id
uid=13553(fritzr) gid=778(security)
$ ./rootgift ';id'
hi
uid=13553(fritzr) gid=778(security) euid=0(root)

Substitute "id" with "rm -rf *" and an arbitrary user has just wiped your system.

There are two problems with the program: #1, unchecked buffer, #2 (the easier exploit), unchecked execution of arbitrary user arguments at elevated privilege.

I'd suggest the following instead:

#####################################

main ()
{
setreuid(0,0);
system("/usr/lbin/getprpw -m exptm `id -nu`");
}
######################################
compile this program (as root)
cc daysleft.c -o daysleft
mv daysleft
Then make a script
with 0555 permission that runs pgm and parses the output.

daysleft will be owned by root with 4555 permission.

The reasons this *doesn't* create a security hole:
1) There is no unchecked buffer to overflow, and
2) there is no untrusted input run by a privileged program
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Highlighted
A. Daniel King_1
Super Advisor

Re: suid script help

There is always a risk with SUID:

PATH=/tmp:$PATH ;
echo ksh > /tmp/id ;
chmod 700 /tmp/id ;
./daysleft

Instant root shell.
Command-Line Junkie
Robert Fritz
Regular Advisor

Re: suid script help

Fair enough... I failed to specify the full path... guess I was typing too fast. Substitute /usr/bin/id for id to close the hole.
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
A. Daniel King_1
Super Advisor

Re: suid script help

You'll still need some date math. exptm lists only the password expiration period. I like GNU date (gdate) to do this in shell scripts, but there are scripts which will do similar things. The following uses gdate, and does not use getprpw ...

#!/usr/bin/ksh

PATH=/usr/bin:/usr/local/bin

exptime=$(grep u_exp /tcb/files/auth/$(echo $LOGNAME | sed "s/^\(.\).*$/\1/")/$LOGNAME | sed "s/.*u_exp#\([^:]*\).*$/\1/")
chgtime=$(grep u_succhg /tcb/files/auth/$(echo $LOGNAME | sed "s/^\(.\).*$/\1/")/$LOGNAME | sed "s/.*u_succhg#\([^:]*\).*$/\1/")

expires_on=$(gdate -d "January 1, 1970 $chgtime seconds $exptime seconds" +%Y%m%d)
expires_less_seven_days=$(gdate -d "$expires_on 7 days ago" +%Y%m%d)
today=$(gdate +%Y%m%d)

echo Expires $expires_on, less seven days $expires_less_seven_days v $today $((expires_on-$today)) ...

if [ $today -ge $expires_less_seven_days ]
then
echo "Your password is expiring soon!"
exit 1
else
echo "No password change coming this week."
fi

exit 0
Command-Line Junkie