[ale] C question

Robert L. Harris robert.l.harris at gmail.com
Tue May 27 13:37:18 EDT 2014


Here is what I ended up with from a "get this working" perspective:


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>


int main(int argc, char **argv)
{

   setuid( 662705787 );

   char Command[512];
   sprintf(Command, "ssh user2 at Server2 -C '/home/user2/bin/Test.sh %s'",
argv[1]);
   system((char *)Command);

   return 0;
}


Given that I have something that works, I need to put the data checks in
for a character length of 5 alpha numeric.  What changes should I make?
 What other 'good to do' would anyone suggest?  I need to have this basic
functionality, but I'd like to make it "better" as well but I don't know C
other than how to do a "gcc" or read very specific examples.

Robert



On Sat, May 24, 2014 at 6:57 AM, Horkan Smith <ale at horkan.net> wrote:

> You might also want to restrict what a user could do via ssh on the 2nd
> server:
>
>
> http://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login
>
> http://www.wallix.org/2011/10/18/restricting-remote-commands-over-ssh/
>
> http://cybermashup.com/2013/05/14/restrict-ssh-logins-to-a-single-command/
>
> later!
>    horkan
>
> On Thu, May 22, 2014 at 05:37:32PM -0600, Robert L. Harris wrote:
> > The reason for the "system" is just to see what value I'm getting out.
> >
> > I have a perl script doing a bunch of processing which will be run by a
> > couple different users.  One aspect of the perl script is to connect to
> > another machine and run a command as a specific user.  Instead of having
> > others know the passwd, etc.  I have a hostkey set up from my server as a
> > non-privledged user to another system.  I want to have the C program
> setuid
> > to the non-privledged user, ssh to the second server and run 1 command
> with
> > the only variable being XXXXX.  More convoluted than I want but the
> safest
> > method I can come up with to get just the output I need from the second
> > server.
> >
> >
> >
> > On Thu, May 22, 2014 at 5:31 PM, Ed Cashin <ecashin at noserose.net> wrote:
> >
> > > In general, with this kind of stuff, you want to avoid using the
> > > shell, so no use of "system" or other library calls that implicitly
> > > run a shell.  The reason is that most programmers cannot anticipate
> > > all the corner cases that allow unexpected things to happen when you
> > > run a shell from your C program based on user data.
> > >
> > > But this extra information is making me less certain that I'm coming
> > > up with the best feedback.
> > >
> > > Does it happen to be the case that you're using C because you want to
> > > create an executable that you will make setuid root?
> > >
> > >
> > > On Thu, May 22, 2014 at 7:12 PM, Robert L. Harris
> > > <robert.l.harris at gmail.com> wrote:
> > > > My main goal is to make sure someone doesn't run this command and
> pass it
> > > > somethign like :     "15361; rm -rf ~/*"
> > > > I will need another version where XXXXX can be any alpha-numeric
> > > character
> > > > too but the main concern is the moron doing something stupid.
> > > >
> > > > Robert
> > > >
> > > >
> > > >
> > > > On Thu, May 22, 2014 at 4:40 PM, Ed Cashin <ecashin at noserose.net>
> wrote:
> > > >>
> > > >> I'm not at a keyboard now, but strtol could do it all if you
> provide a
> > > >> non-NULL end pointer. (That will make sense on reading the strtol
> man
> > > page.)
> > > >> Just subtract the end from the start and compare to 5,after
> specifying
> > > base
> > > >> ten.
> > > >>
> > > >> On May 22, 2014 6:17 PM, "Robert L. Harris" <
> robert.l.harris at gmail.com>
> > > >> wrote:
> > > >>>
> > > >>>
> > > >>> Anyone have a very simple C program source that given a command of
> :
> > > >>>
> > > >>> ./Validate XXXXX
> > > >>>
> > > >>>
> > > >>> it will verify that XXXXX is a 5 digit integer and then execute
> > > >>>
> > > >>> system( "/bin/touch XXXXX");
> > > >>>
> > > >>>
> > > >>>
> > > >>> There's much more to it but I'm hung up on this.  Unfortunately I'm
> > > not a
> > > >>> C person.
> > > >>>
> > > >>> Robert
> > > >>>
> > > >>>
> > > >>> --
> > > >>> :wq!
> > > >>>
> > > >>>
> > >
> ---------------------------------------------------------------------------
> > > >>> Robert L. Harris
> > > >>>
> > > >>> DISCLAIMER:
> > > >>>       These are MY OPINIONS             With Dreams To Be A King,
> > > >>>        ALONE.  I speak for                      First One Should
> Be A
> > > Man
> > > >>>        no-one else.                                     - Manowar
> > > >>>
> > > >>> _______________________________________________
> > > >>> Ale mailing list
> > > >>> Ale at ale.org
> > > >>> http://mail.ale.org/mailman/listinfo/ale
> > > >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> > > >>> http://mail.ale.org/mailman/listinfo
> > > >>>
> > > >>
> > > >> _______________________________________________
> > > >> Ale mailing list
> > > >> Ale at ale.org
> > > >> http://mail.ale.org/mailman/listinfo/ale
> > > >> See JOBS, ANNOUNCE and SCHOOLS lists at
> > > >> http://mail.ale.org/mailman/listinfo
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > :wq!
> > > >
> > >
> ---------------------------------------------------------------------------
> > > > Robert L. Harris
> > > >
> > > > DISCLAIMER:
> > > >       These are MY OPINIONS             With Dreams To Be A King,
> > > >        ALONE.  I speak for                      First One Should Be
> A Man
> > > >        no-one else.                                     - Manowar
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://mail.ale.org/mailman/listinfo/ale
> > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > http://mail.ale.org/mailman/listinfo
> > > >
> > >
> > >
> > >
> > > --
> > >   Ed Cashin <ecashin at noserose.net>
> > >   http://noserose.net/e/
> > >   http://www.coraid.com/
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> > >
> >
> >
> >
> > --
> > :wq!
> >
> ---------------------------------------------------------------------------
> > Robert L. Harris
> >
> > DISCLAIMER:
> >       These are MY OPINIONS             With Dreams To Be A King,
> >        ALONE.  I speak for                      First One Should Be A Man
> >        no-one else.                                     - Manowar
>
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
>
> --
> Horkan Smith
> 678-777-3263 cell, ale at horkan.net
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
:wq!
---------------------------------------------------------------------------
Robert L. Harris

DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for                      First One Should Be A Man
       no-one else.                                     - Manowar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140527/e13e2741/attachment.html>


More information about the Ale mailing list