Stefan,
First I want to say I really like your program. We work in a small group of 5 database administrators, and this is exactly what we need to inform each other. Elog is simple but very functional, so thanks!
My problem is that I don't have root access to the HP-UX machines. We don't run elogd as root, so I wasn't really interested in the seteuid functionality, I just wanted to compile and run the program.
HP-UX doesn't have the "seteuid" and "setegid" functions. But there are "setuid+setgid", "setreuid+setregid" and "setresuid+setresgid" functions available. I'm not sure which one is the best to use. I uploaded the manpages as attachment. I hope this will help you.
If you want I can do a compile and run test on HP-UX with your altered source code. But I can't do a test with "root".
| Stefan Ritt wrote: | I applied most of your patches to the elog source code, SVN revision 1885. The only missing piece has to do with seteuid/setuid. I definitively need seteuid for linux, because elogd might be started under root, then it falls back to an optional elog user. But when it stops, it has to restore the original root user in order to delete the PID file (/var/run/elogd.pid) which was created under root. If seteuid does not exist under HP-UX, you should add something like
#ifdef HP-UX
setuid(...)
#else
seteuid(...)
#endif
Probably the HP-UX has to be something else, but I cannot test this since I don't have such an OS here. Once you get this working I can put it into the standard distribution. |
|
setuid(2) setuid(2)
NAME
setuid(), setgid() - set user and group IDs
SYNOPSIS
#include <unistd.h>
int setuid(uid_t uid);
int setgid(gid_t gid);
DESCRIPTION
setuid() sets the real-user-ID (ruid), effective-user-ID (euid),
and/or saved-user-ID (suid) of the calling process. If the Security
Containment product is installed, these interfaces treat a process
observing CHSUBJIDENT as a privileged process. Otherwise, only
processes with an euid of zero are treated as privileged processes.
See privileges(5) for more information on Security Containment and
fine-grained privileges.
The following conditions govern setuid's behavior:
+ If the process is privileged, setuid() sets the ruid, euid,
and suid to uid.
+ If the process is not privileged and the argument uid is equal
to the ruid or the suid, setuid() sets the euid to uid; the
ruid and suid remain unchanged. (If a set-user-ID program is
not running as superuser, it can change its euid to match its
ruid and reset itself to the previous euid value.)
+ If the process is not privileged, the argument uid is equal to
the euid, and the calling process has the PRIV_SETRUGID
privilege, setuid() sets the ruid to uid; the euid and suid
remain unchanged.
setgid() sets the real-group-ID (rgid), effective-group-ID (egid),
and/or saved-group-ID (sgid) of the calling process. The following
conditions govern setgid()'s behavior:
+ If the process is privileged, setgid() sets the rgid and egid
to gid.
+ If the process is not privileged and the argument gid is equal
to the rgid or the sgid, setgid() sets the egid to gid; the
rgid and sgid remain unchanged.
+ If the process is not privileged, the argument gid is equal to
the egid, and the calling process has the PRIV_SETRUGID
privilege, setgid() sets the rgid to gid; the egid and sgid
remain unchanged.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: May 2006
setuid(2) setuid(2)
Security Restrictions
Some or all of the actions associated with this system call require
the CHSUBJIDENT privilege. Processes owned by the superuser have this
privilege. Processes owned by other users may have this privilege,
depending on system configuration.
See privileges(5) for more information about privileged access on
systems that support fine-grained privileges.
RETURN VALUE
Upon successful completion, setuid() and setgid() return 0; otherwise,
they return -1 and set errno to indicate the error.
ERRORS
setuid() and setgid() fail and return -1 if any of the following
conditions are encountered:
[EPERM] None of the conditions above are met.
[EINVAL] uid (gid) is not a valid user (group) ID.
WARNINGS
It is recommended that the PRIV_SETRUGID capability be avoided, as it
is provided for backward compatibility. This feature may be modified
or dropped from future HP-UX releases. When changing the real user ID
and real group ID, use of setresuid() and setresgid() (see
setresuid(2)) is recommended instead.
AUTHOR
setuid() was developed by AT&T, the University of California,
Berkeley, and HP.
setgid() was developed by AT&T.
SEE ALSO
exec(2), getuid(2), setresuid(2), privileges(5).
STANDARDS CONFORMANCE
setuid(): AES, SVID2, SVID3, XPG2, XPG3, XPG4, FIPS 151-2, POSIX.1
setgid(): AES, SVID2, SVID3, XPG2, XPG3, XPG4, FIPS 151-2, POSIX.1
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: May 2006
|
setresuid(2) setresuid(2)
NAME
setresuid, setresgid - set real, effective, and saved user and group
IDs
SYNOPSIS
#include <unistd.h>
int setresuid(uid_t ruid, uid_t euid, uid_t suid);
int setresgid(gid_t rgid, gid_t egid, gid_t sgid);
DESCRIPTION
setresuid() sets the real, effective and/or saved user ID of the
calling process.
If the current real, effective or saved user ID is equal to that of a
user having appropriate privileges, setresuid() sets the real,
effective and saved user IDs to ruid, euid, and suid, respectively.
Otherwise, setresuid() only sets the real, effective, and saved user
IDs if ruid, euid, and suid each match at least one of the current
real, effective, or saved user IDs.
If ruid, euid, or suid is -1, setresuid() leaves the current real,
effective or saved user ID unchanged.
setresgid() sets the real, effective and/or saved group ID of the
calling process.
If the current real, effective or saved user ID is equal to that of a
user having appropriate privileges, setresgid() sets the real,
effective, and saved group ID to rgid, egid, and sgid, respectively.
Otherwise, setresgid() only sets the real, effective and saved group
ID if rgid, egid, and sgid each match at least one of the current
real, effective or saved group ID.
If rgid, egid, or sgid is -1, setresgid() leaves the current real,
effective or saved group ID unchanged.
Security Restrictions
Some or all of the actions associated with this system call require
the PRIV_CHSUBJIDENT privilege (CHSUBJIDENT). Processes owned by the
superuser will have this privilege. Processes owned by other users
may have this privilege, depending on system configuration. See
privileges(5) for more information about privileged access on systems
that support fine-grained privileges.
RETURN VALUE
Upon successful completion, setresuid() and setresgid() return 0;
otherwise, they return -1 and set errno to indicate the error.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: May 2005
setresuid(2) setresuid(2)
ERRORS
setresuid() and setresgid() fail if any of the following conditions
are encountered:
[EINVAL] ruid, euid, or suid (rgid, egid, or sgid) is not a
valid user (group) ID.
[EPERM] None of the conditions above are met.
AUTHOR
setresuid() and setresgid() were developed by HP.
SEE ALSO
exec(2), getuid(2), setuid(2).
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: May 2005
|