Re: mknod: must be super-user

Nikee Reddy · ‎12-21-2002

Hello,

When I tried to execute the mknod command (under my id), the system is responding with the following message:
mknod: must be super-user

I would like to assign the mknod command execution permissions to one of the user.

Could you please tell me how to assign this access?

I really appreciate your quick response.

Thanks,
Nikee

Rajeev Shukla · ‎12-21-2002

Hi Nikee,
The easiest would be to write a C program, do setuid to root and then run the mknod command. Assign a sticky bit to this executable file and there u go.

Rajeev

Nikee Reddy · ‎12-22-2002

Hello Rajeev,

Could you please provide me the step by step command details on this.

Thank you,
Nikee

Rajeev Shukla · ‎12-22-2002

Hi Nikee,
Copy this program as "mymknod.c" and compile it. after compilation give executable permissions 4755.
Means add sticky bit and the file should be owned by root:sys it should look like
-rwsr-xr-x 1 root sys

Here is the source
#include
#include
#include
#include
int uid;
main(argc, argv)
int argc;
char *argv[];
{
char *command=(char *)malloc(2048);
setuid(0);
strcpy(command,"/usr/sbin/mknod ");
strcat(command,argv[1]);
strcat(command," ");
strcat(command,argv[2]);
strcat(command," ");
strcat(command,argv[3]);
strcat(command," ");
strcat(command,argv[4]);
if ( system(command) !=0 ) {
printf("1:The mknod command failed\n");
exit(1);
}
}
let me know how it goes, as i made this program specially for you.

Rajeev

Nikee Reddy · ‎12-22-2002

Hello Rajeev,

Thanks for the effot. when I tried to run the mymknod.c, the system is responding with the following error message:

mymknod.c[5]: int: not found.
mymknod.c[6]: Syntax error at line 6 : `(' is not expected.

Thanks,
Nikee

Patrick Wallek · ‎12-22-2002

Did you compile it before you tried to run it?

Nikee Reddy · ‎12-22-2002

Hi,

I compile the code using the following command:

root@pluto:/root# cc mymknod.c

If this is not the write way to compile the code, please let me know...

Thank You,
Nikee

Michael Tully · ‎12-22-2002

You could install 'sudo' to do this. get your System Administrator to assist you. You can get it from here, ready for installation.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/

Anyone for a Mutiny ?

Nikee Reddy · ‎12-22-2002

Hello Michael,

The sudo is already installed on my system. And I have also assigned my user id in the file name: /etc/sudoers
reddys ALL=/usr/sbin/mknod

(where reddys is the user id)

Please let me know what should I do now.

Thanks,
Nikee

Rajeev Shukla · ‎12-22-2002

I got you. You are trying to execute the file as it is. It is a C program which you need to compile. Just do the following.
1. cc -o mymknod mymknod.c (this will compile and make a file called mymynod)
2.make the file permission as -rwsr-xr-x 1 root sys
by doing chmod 4755 mymknod
and then run mymknod
it should work.

Thanks
Rajeev

Nikee Reddy · ‎12-22-2002

Hello Rajeev,

I have compiled and assigned the permissions successfully according to your specification.

Basically the user wants to execute the mknod name p command:

pluto:oradv2 /root/mymknod oraout p

mknod: arg count
usage: mknod name b|c major minor
mknod name p
1:The mknod command failed

I am receiving the above error when I ran the command.
What am I doing wrong here?

Thank You,
Nikee

Michael Tully · ‎12-22-2002

Here is the sudo syntax. Make sure that you use the 'visudo' program to make cny changes.

Try setting up your /etc/sudoers file like this:

User_Alias MKNOD = reddys

Cmnd_Alias MKNODEX = /usr/sbin/mknod

MKNOD ALL=MKNODEX

Anyone for a Mutiny ?

Bill Hassell · ‎12-22-2002

No need to do any of this. HP-UX has a command available to any user: mkfifo

The man page shows:

mkfifo filename

is what you need. There are a couple of options but mkfifo is a section 1 command (that means anyone can use the command) whereas mknod is a section 1m command (reserved only for root). Rather than use set-UID or sudo, just use mkfifo. See also mkfifo(3c). A section number (ie, 1 or 1m or 3c, etc) refers to the Unix 'Brick' or documentation book. mknod has an entry in section 2 (a system call), section 1m (root command) and section 5 (header information). To see a particular man page, insert the section number as in: man 5 mknod

Bill Hassell, sysadmin

Rajeev Shukla · ‎12-22-2002

Just a few more changes to the program please. The last program was only taking care of c|b here is the full program.

#include
#include
#include
#include
int uid;
main(argc, argv)
int argc;
char *argv[];
{
char *command=(char *)malloc(2048);
if ((argc != 5) && (argc != 3)){
printf("Incorrect usage\n");
exit(1);
}
setuid(0);
strcpy(command,"/usr/sbin/mknod ");
if ( argc == 5 ){
strcat(command,argv[1]);
strcat(command," ");
strcat(command,argv[2]);
strcat(command," ");
strcat(command,argv[3]);
strcat(command," ");
strcat(command,argv[4]);
if ( system(command) !=0 ) {
printf("1:The mknod command failed\n");
exit(1);
}
exit(0);
}
if ( argc == 3 ){
strcat(command,argv[1]);
strcat(command," ");
strcat(command,argv[2]);
if ( system(command) !=0 ) {
printf("1:The mknod command failed\n");
exit(1);
}
exit(0);
}
}

Just compile and use the same old procedure it should definately work of let me know again.

Thanks
Rajeev

Rajeev Shukla · ‎12-22-2002

Thats right bill,
mkfifo is only for named pipes. But my program is more generalised and works for creating block and character devices too.

Rajeev

Nikee Reddy · ‎12-22-2002

Hello All,

Thanks for the help and suggestions.

Rajeev, thanks for the code and it works.

Let me explain to all of you what I am trying to do here:

We are running SAP & Oracle on the HP 11.0 OS.

Basically SAP has a tool called SAPDBA (like SAM), which performs database reorganization and many more dba functions. Here I am trying to achieve the data export from the database in to multiple dump files due to the file size limitation i.e. 2GB.

SAPDBA tries to chop the database data export file in to multiple files using mknod command. SAP has hard coded this functionality in the SAPDBA.exe files.

Thank you,
Nikee

Nikee Reddy · ‎12-22-2002

Hello Rajeev,

pluto:oradv2> mymknod oradmp p

The above command is creating the file under root:dba permissions.

prw-r--r-- 1 root dba 0 Dec 22 23:41 oradmp

Is it possible to create a file under oradv2:dba ownership instead of root:dba?

The script is failing due to permissions problem.

Thanks,
Nikee

Rajeev Shukla · ‎12-22-2002

Here you are with a new program. Just get the uid and gid and do chown. Here you are, compile and then run is as before.

#include
#include
#include
#include
uid_t uid;
gid_t gid;
main(argc, argv)
int argc;
char *argv[];
{
char *command=(char *)malloc(2048);
if ((argc != 5) && (argc != 3)){
printf("Incorrect usage\n");
exit(1);
}
uid = getuid();
gid = getgid();
setuid(0);
strcpy(command,"/usr/sbin/mknod ");
if ( argc == 5 ){
strcat(command,argv[1]);
strcat(command," ");
strcat(command,argv[2]);
strcat(command," ");
strcat(command,argv[3]);
strcat(command," ");
strcat(command,argv[4]);
if ( system(command) !=0 ) {
printf("1:The mknod command failed\n");
exit(1);
}
chown(argv[1], uid, gid);
exit(0);
}
if ( argc == 3 ){
strcat(command,argv[1]);
strcat(command," ");
strcat(command,argv[2]);
if ( system(command) !=0 ) {
printf("1:The mknod command failed\n");
exit(1);
}
chown(argv[1], uid, gid);
exit(0);
}
}

Thanks
Rajeev

Lalo_Weng · ‎12-23-2002

Hello, Rajeev,

Your C program is great! I learn a lot from it. But here I have another question.

Why do we have to set the permission to 4755 instead of 755?

What does the 's' mean in 'rwsr-xr-x'? Why 'rwxr-xr-x' doesn't work?

Thanks a lot!

Keep finding is the way.

Bill Hassell · ‎12-23-2002

You'll learn a lot from the man page for chmod. The setUID bit is what allows a program to run as a different user. For this program, you are running as the oracle user with limited capabilities bt the program runs as root. This is why the owner of the resultant file is root by default.

setUID is a standard technique for many Unix commands but as you might expect, it creates the possibility of serious security risks, especially if the setUID is applied to a simple shell script. sudo is a much better solution as the actuions taken by sudo are logged (and limited by the config file).

It is strongly recommended that the nosuid option be added to *every* mountpoint where ordinary users have write access (such as /tmp, /var and /home). This prevents setUID scripts and/or programs in those locations from running.

Bill Hassell, sysadmin

Rajeev Shukla · ‎12-23-2002

Hi Lalo, thanks for that and Bill is right. The "s" is the setuid bit which makes the program run as the owner of the file. And in this case its root so the file is run as root. These type of permissions cause a great security threat. Specially the shell, perl scripts. Like you give write permission and the setuid to root, then the hacker has the right to put anything in the file and execute it as root. But the program i gave above is a compiled c program which is does not create a security threat as long as source code are not in the hand of the hacker.

Hi Nikee, does it solve your problem of ownership of file.

Cheers
Rajeev

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: mknod: must be super-user

mknod: must be super-user