HPE Community
Operating System - HP-UX
1819537 Members
1445 Online
109603 Solutions
New Discussion юеВ

newgrp in a script

 
Eric Guerizec
Frequent Advisor

тАО01-22-2003 09:26 AM

тАО01-22-2003 09:26 AM

newgrp in a script

newgrp command call a new shell, so it's impossible to use it in a shell script because all commands after the newgrp call are not executed. Is it possible to write in C the same command except calling a new shell?

0 Kudos
Reply
8 REPLIES 8
Duncan Edmonstone
HPE Pro

тАО01-22-2003 09:51 AM

тАО01-22-2003 09:51 AM

Re: newgrp in a script

Is setting the SGID bit for the shell script not an option?

HTH

DUncan

I am an HPE Employee
Accept or Kudo
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО01-22-2003 10:02 AM

тАО01-22-2003 10:02 AM

Re: newgrp in a script

Yes it is easy to do a setuid/setgid program in C and then do a system("usr/bin/sh") but you can probably get everything to work as you want by creating an /etc/logingroup file. That will have the effect of allowing a user to be a member of multiple groups. Man logingroup for details.
If it ain't broke, I can fix that.
0 Kudos
Reply
Eric Guerizec
Frequent Advisor

тАО01-22-2003 10:19 AM

тАО01-22-2003 10:19 AM

Re: newgrp in a script

Why I want to write a C prog? Because the max group number is 20 for a user and in my configuration I can have more than 20 groups, so /etc/logingroup is not the solution because id command reports only the 20 first groups!
I think you see my problem better now :)
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО01-22-2003 10:42 AM

тАО01-22-2003 10:42 AM

Re: newgrp in a script

Okay, the attached C program will do the trick BUT I warn you this is a big security hole. I would install it in a directory that is only accessible by root.

It's written in ANSI C so compile it like this:

cc -Ae suexec.c -o suexec
chown root suexec
chmod 4755 suexec

If you don't have a development compiler then you can convert it to K&R C and use the bundled compiler.

Use it like this:
suexec -g mygroup tom /usr/bin/sh

That will start a new shell with user 'tom' group 'mygroup'.

suexec with no args will display usage.

If it ain't broke, I can fix that.
0 Kudos
Reply
Wodisch
Honored Contributor

тАО01-22-2003 11:52 AM

тАО01-22-2003 11:52 AM

Re: newgrp in a script

Hi,

usually the reason for using "newgrp" is to make newly created files to belong to that group.

You can achieve that in other ways: if those file are to reside in the same directory, set the SGID bit on the directory itself (a BSD tradition) and "chgrp" that directory to the group wanted.

FWIW,
Wodisch
0 Kudos
Reply
Eric Guerizec
Frequent Advisor

тАО01-23-2003 02:26 AM

тАО01-23-2003 02:26 AM

Re: newgrp in a script

Thanks A. Clay for the script. I wrote a C program like this except I verifiy if the new group is declared for the username. It will be the solution if I don't find a better one.
In my case, an application must be able to execute or write in other application. Each aplication had his own group.
If I use your C program in a script, I must execute suexec each time the script execute or write in other application.
Ex:
#!/bin/ksh
suexec -g newgroup user proc1
suexec -g newgroup user proc2
suexec -g newgroup user proc3
Now is it possible to write a C prog which change the id group for all the command in the scripts so I can call this prog only one time at the beginning of the scripts.
Ex:
#!/bin/ksh
suexec -g newgroup
proc1
proc2
proc3I am afraid that is not possible because all the C functions I know modify the gid for the current process only. So the new groupw will not valid after the suexec execution. I couldn't use newgrp because as I already said, newgrp call a new shell so in this exemple proc1, proc2 and proc3 will be never executed.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-23-2003 05:26 AM

тАО01-23-2003 05:26 AM

Re: newgrp in a script

Do you really need to use newgrp? Prior to 10.xx, HP-UX mandated the use of newgrp to change the user's group privileges unless the file: /etc/logingroup existed and was essentially a copy (or link) to the /etc/group file. If you run the id command, you'll see multiple group memberships listed. If not, create a link to /etc/group with:

ln -s /etc/group /etc/logingroup

Note that this provides membership privileges and will not change the default group like newgrp.


Bill Hassell, sysadmin
0 Kudos
Reply
Eric Guerizec
Frequent Advisor

тАО01-23-2003 06:18 AM

тАО01-23-2003 06:18 AM

Re: newgrp in a script

Hello Bill,
On HPUX, the max number of simultaneous supplementary group IDs per process (NGROUPS_MAX) is 20. In my case, I could have more than 20 groups. /etc/logingroup is only valid for 20 groups. So if you declare one user with 21 groups, command id shows you 20 groups not 21 and you don't have any right on the last group. But you can use newgrp to acces this new group. It's why I would want a binary doing the same thing like newgrp except openning a new shell!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.