Restricted Program Access

[Peter da Silva]

In article <164 at nisca.ircc.ohio-state.edu>, frank at hpuxa.ircc.ohio-state.edu (Frank G. Fiamingo) writes:
> Apparently newgrp spawns a new shell so that the
> commands following it are never executed.  

Here's my solution... it's an equivalent of 'su' for groups (where newgrp
is an equivalent of login for groups). A quick hack, but very useful.
The games with errno were needed to keep spurious error messages here and
there from confusing our users. status==1 implies a system error, status==2
implies a user error.

/* grp group command...
 *
 * Execute "command" with gid=="group".
 */

#include <stdio.h>
#include <grp.h>
#include <pwd.h>
#include <errno.h>

main(ac, av)
int ac;
char **av;
{
	struct passwd *passwd, *getpwuid();
	struct group *group, *getgrnam();
	extern int errno;
	int i;

	if(ac < 3) {
		fprintf(stderr, "Usage: grp group command...\n");
		exit(2);
	}
	errno = 0;
	if((passwd = getpwuid(getuid())) == 0) {
		if(errno == 0 ||
		   errno == ENOTTY)	/* Yes, /etc/passwd is not a tty */
			fprintf(stderr, "/etc/passwd: No entry for uid\n");
		else
			perror("/etc/passwd");
		exit(1);
	}
	errno = 0;
	if((group = getgrnam(av[1])) == 0) {
		if(errno == 0 ||
		   errno == ENOTTY)	/* yes, etc/group is not a tty */
			fprintf(stderr, "%s: No such group\n", av[1]);
		else
			perror("/etc/group");
		exit(1);
	}
	for(i = 0; group->gr_mem[i]; i++)
		if(strcmp(group->gr_mem[i], passwd->pw_name) == 0)
			break;
	if(group->gr_mem[i] == 0) {
		fprintf(stderr, "%s: Not in group.\n", av[1]);
		exit(1);
	}
	setgid(group->gr_gid);
	setuid(getuid());
	errno = 0;
	execvp(av[2], &av[2]);
	perror("grp: exec");
}
-- 
Peter da Silva, Xenix Support, Ferranti International Controls Corporation.
Business: peter at ficc.uu.net, +1 713 274 5180. | "Arrrrggggh!
Personal: peter at sugar.hackercorp.com.   `-_-' |  Electronic mail sucks eggs."
Quote: Have you hugged your wolf today?  'U`  |     -- eugene miya