HPE Community
Operating System - HP-UX
1820243 Members
2744 Online
109621 Solutions
New Discussion юеВ

can a process change it's own group id without starting a new shell?

 
SOLVED
Go to solution
John Kittel
Trusted Contributor

тАО04-30-2004 06:08 AM

тАО04-30-2004 06:08 AM

can a process change it's own group id without starting a new shell?

I see that the "newgrp" command allows a process to change it's group ID, but when it does so it replaces the current shell with a new one.

Is there a way for a process to change it's group ID - WITHOUT replacing the current shell?

- John Kittel
0 Kudos
Reply
11 REPLIES 11
Rodney Hills
Honored Contributor

тАО04-30-2004 06:32 AM

тАО04-30-2004 06:32 AM

Re: can a process change it's own group id without starting a new shell?

If you are talking about the current shell, then the answer is "no".

If you want to run a program that does a set GID, you could do the following from a shell-

echo "example"
exec /mybin/myprog

Where "myprog" is a small c-program that does a call to setresgid to set your desitred GID. Then you could have "myprog" do an call to execl to launch the program you wish to run.

The drawback to this approach is you can't go back to your original shell since you are not creating new processing, but replacing the current.

HTH

-- Rod Hills
There be dragons...
Reply
hari jayaram_1
Frequent Advisor

тАО04-30-2004 06:37 AM

тАО04-30-2004 06:37 AM

Re: can a process change it's own group id without starting a new shell?

John,

I have not been able to do that but am curious as to why ?

Thanks

0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-30-2004 06:38 AM

тАО04-30-2004 06:38 AM

Re: can a process change it's own group id without starting a new shell?

The current process is already in the process table. Which probably explains the answer.

Nice workaround.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
John Kittel
Trusted Contributor

тАО04-30-2004 06:54 AM

тАО04-30-2004 06:54 AM

Re: can a process change it's own group id without starting a new shell?

Thank you Rod. I will give that a try and see if it is able to solve my problem. I'm not much of a C programmer though. The man page for setresgid shows in the SYNOPSIS:

int setresgid(gid_t rgid, gid_t egid, gid_t sgid);

but then it doesn't explain what "gid_t" is. What is it? How do I call setresgid properly? (I understand I need to supply, for example, a value in egid to be the new effective gid.)

In answer to why I want to do this... we have some vendor software that isn't paying attention to the user's secondary group memberships, and it is making it near impossible to use groups to help set up a secure system. The vendor software however does have hooks to allow calling "CLI" commands, so if I can call this C program to change the current process GID I think it will help.

- John
0 Kudos
Reply
hari jayaram_1
Frequent Advisor

тАО04-30-2004 06:56 AM

тАО04-30-2004 06:56 AM

Re: can a process change it's own group id without starting a new shell?

John,

Rodney's solution is a good work arounf and if I run into a problem like you have will try it. Please keep us posted with the result.
0 Kudos
Reply
John Kittel
Trusted Contributor

тАО04-30-2004 07:04 AM

тАО04-30-2004 07:04 AM

Re: can a process change it's own group id without starting a new shell?

ok, I think I understand gid_t ...

It's the type of the variable/argument rgid, etc.

I think I can code the program now...

- John
0 Kudos
Reply
Rodney Hills
Honored Contributor

тАО04-30-2004 07:12 AM

тАО04-30-2004 07:12 AM

Solution

Re: can a process change it's own group id without starting a new shell?

Here is a small program I use to launch our database system. I alter the effective GID so that the database application will have write access to the database files.

/* Be sure to set -DGID=nnn where nnn is desired GID */
#define UVNAME "UV"
#define PATH "/usr/igi/flodata/%s"
#define CMD "/u1/uv/bin/uv"
#include
#include
int x;
main ( argc , argv )
int argc;
char *argv [];
{
char cdentry[40];
char uvname[40];
x = setresgid(GID,-1,-1);
if ( strcmp(argv[1],".") ) {
sprintf( cdentry, PATH, argv[1]);
sprintf( uvname, "%s '* %s'",UVNAME,argv[1]);
x = chdir(cdentry);
if ( x != 0 ) {
fprintf(stderr, "%s not a valid directory\n", argv[1]);
exit(2);
}
}
x = execl ( CMD , uvname, ARG1, ARG2, (char *)NULL);
perror(" Error from execl\n");
}


HTH

-- Rod Hills
There be dragons...
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО04-30-2004 07:21 AM

тАО04-30-2004 07:21 AM

Re: can a process change it's own group id without starting a new shell?

You may not need to alter any code at all. If you link /etc/group and /etc/logingroup then secondary groups will automatically be added to the user's default access list so that no setgid() or newgrp is necessary.
If it ain't broke, I can fix that.
0 Kudos
Reply
Rodney Hills
Honored Contributor

тАО04-30-2004 07:27 AM

тАО04-30-2004 07:27 AM

Re: can a process change it's own group id without starting a new shell?

Clay,

The benefit of using my program is I control when the files are available to the user. If the user should login on as a regular unix shell, they won't have write access to the database files. I don't want users trying to "vi" one of the database files.

Only the database application is allowed to write to the database files. Thus going through my c-program they have to run the database application to gain access to the files.

-- Rod Hills
There be dragons...
0 Kudos
Reply
John Kittel
Trusted Contributor

тАО04-30-2004 07:31 AM

тАО04-30-2004 07:31 AM

Re: can a process change it's own group id without starting a new shell?

I'm not done testing Rod's solution yet, so I'm not 100% sure I'm going to be able to use it to solve my problem, but I think it will, and he completely answered the question as posed, so he get's the bunny.

Thanks a bunch Rod.

Also, thanks for your answer Clay. I had already looked into /etc/logingroup and tried that. It didn't seem to help. The vendor software still appeared to only use the primary group. I made a hard link of /etc/logingroup to /etc/group. And made sure the test user re-logged in. The process running the application is still unable to use secondary group permissions to access files. Of course it could still be a mistake on my part in setting up the test properly, but tried everything I could think of.

- John


0 Kudos
Reply
Rory R Hammond
Trusted Contributor

тАО05-01-2004 06:37 AM

тАО05-01-2004 06:37 AM

Re: can a process change it's own group id without starting a new shell?


IF the problem is, you have a program that you want a user to run in a special group.

You can setuid group of the program and the user will then be running the program in the group
Example
-r-xr-xr-x 1 transfer special 2973 Apr 28 2003 program

chmod 2555 program

-r-xr-sr-x 1 transfer special 2973 Apr 28 2003 program

Rory


This won't work for shells but you can create C program that calls the shell.
There are a 100 ways to do things and 97 of them are right
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.