[ale] C question

Robert L. Harris robert.l.harris at gmail.com
Tue May 27 15:39:17 EDT 2014


How to call it, the example you gave is what I was looking for, and I'll
put that in.

If you have an example which is simple ( so I don't have to figure out what
are the relevant parts ) I would like to learn some of this.  The only
thing is this is the first C program I've written in over 20 years and very
likely the last for the next 20, I just don't have reason to do it.

Robert



On Tue, May 27, 2014 at 1:29 PM, Alex Carver <agcarver+ale at acarver.net>wrote:

> It's already written as a function definition, you just have to put it
> in the file and then call it in your program before the system() call:
>
> int main(int argc, char **argv)
> {
>    setuid( 662705787 );
>
>    char Command[512];
>    if ( is_5char_alnum(argv[1]) == 1 )
>    {
>         sprintf(Command, "ssh user2 at Server2 -C '/home/user2/bin/Test.sh
> %s'", argv[1]);
>       system((char *)Command);
>    }
>    else
>    {
>      printf("Bad input\n");
>    }
>    return 0;
> }
>
>
> Though you really should adjust things to use snprintf() and reparse
> argv[] into another variable first to sanitize it before feeding it into
> a command.
>
> On 2014-05-27 11:05, Robert L. Harris wrote:
> > How would I tie that in to my program?  I would read it as a function I
> > would run once I have my input but before I execute the system command
> but
> > don't know how to do that in C.
> >
> >
> >
> > On Tue, May 27, 2014 at 11:59 AM, David Tomaschik
> > <david at systemoverlord.com>wrote:
> >
> >> int is_5char_alnum(char *str) {
> >>   /* Returns 1 if 5 char alnum, 0 otherwise. */
> >>   int i;
> >>   if (!str)
> >>     return 0;
> >>   for (i=0;i<5;i++) {
> >>     if (!((str[i] >= 'A' && str[i] <= 'Z') ||
> >>           (str[i] >= 'a' && str[i] <= 'a') ||
> >>           (str[i] >= '0' && str[i] <= '9')))
> >>       return 0;
> >>   }
> >>   return (str[5] == '\0')?1:0;
> >> }
> >>
> >>
> >> On Tue, May 27, 2014 at 10:37 AM, Robert L. Harris <
> >> robert.l.harris at gmail.com> wrote:
> >>
> >>>
> >>> Here is what I ended up with from a "get this working" perspective:
> >>>
> >>>
> >>> #include <stdio.h>
> >>> #include <stdlib.h>
> >>> #include <sys/types.h>
> >>> #include <unistd.h>
> >>>
> >>>
> >>> int main(int argc, char **argv)
> >>> {
> >>>
> >>>    setuid( 662705787 );
> >>>
> >>>    char Command[512];
> >>>     sprintf(Command, "ssh user2 at Server2 -C '/home/user2/bin/Test.sh
> >>> %s'", argv[1]);
> >>>    system((char *)Command);
> >>>
> >>>    return 0;
> >>> }
> >>>
> >>>
> >>> Given that I have something that works, I need to put the data checks
> in
> >>> for a character length of 5 alpha numeric.  What changes should I make?
> >>>  What other 'good to do' would anyone suggest?  I need to have this
> basic
> >>> functionality, but I'd like to make it "better" as well but I don't
> know C
> >>> other than how to do a "gcc" or read very specific examples.
> >>>
> >>> Robert
> >>>
> >>>
> >>>
> >>> On Sat, May 24, 2014 at 6:57 AM, Horkan Smith <ale at horkan.net> wrote:
> >>>
> >>>> You might also want to restrict what a user could do via ssh on the
> 2nd
> >>>> server:
> >>>>
> >>>>
> >>>>
> http://stackoverflow.com/questions/402615/how-to-restrict-ssh-users-to-a-predefined-set-of-commands-after-login
> >>>>
> >>>>
> http://www.wallix.org/2011/10/18/restricting-remote-commands-over-ssh/
> >>>>
> >>>>
> >>>>
> http://cybermashup.com/2013/05/14/restrict-ssh-logins-to-a-single-command/
> >>>>
> >>>> later!
> >>>>    horkan
> >>>>
> >>>> On Thu, May 22, 2014 at 05:37:32PM -0600, Robert L. Harris wrote:
> >>>>> The reason for the "system" is just to see what value I'm getting
> out.
> >>>>>
> >>>>> I have a perl script doing a bunch of processing which will be run
> by a
> >>>>> couple different users.  One aspect of the perl script is to connect
> to
> >>>>> another machine and run a command as a specific user.  Instead of
> >>>> having
> >>>>> others know the passwd, etc.  I have a hostkey set up from my server
> >>>> as a
> >>>>> non-privledged user to another system.  I want to have the C program
> >>>> setuid
> >>>>> to the non-privledged user, ssh to the second server and run 1
> command
> >>>> with
> >>>>> the only variable being XXXXX.  More convoluted than I want but the
> >>>> safest
> >>>>> method I can come up with to get just the output I need from the
> second
> >>>>> server.
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Thu, May 22, 2014 at 5:31 PM, Ed Cashin <ecashin at noserose.net>
> >>>> wrote:
> >>>>>
> >>>>>> In general, with this kind of stuff, you want to avoid using the
> >>>>>> shell, so no use of "system" or other library calls that implicitly
> >>>>>> run a shell.  The reason is that most programmers cannot anticipate
> >>>>>> all the corner cases that allow unexpected things to happen when you
> >>>>>> run a shell from your C program based on user data.
> >>>>>>
> >>>>>> But this extra information is making me less certain that I'm coming
> >>>>>> up with the best feedback.
> >>>>>>
> >>>>>> Does it happen to be the case that you're using C because you want
> to
> >>>>>> create an executable that you will make setuid root?
> >>>>>>
> >>>>>>
> >>>>>> On Thu, May 22, 2014 at 7:12 PM, Robert L. Harris
> >>>>>> <robert.l.harris at gmail.com> wrote:
> >>>>>>> My main goal is to make sure someone doesn't run this command and
> >>>> pass it
> >>>>>>> somethign like :     "15361; rm -rf ~/*"
> >>>>>>> I will need another version where XXXXX can be any alpha-numeric
> >>>>>> character
> >>>>>>> too but the main concern is the moron doing something stupid.
> >>>>>>>
> >>>>>>> Robert
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Thu, May 22, 2014 at 4:40 PM, Ed Cashin <ecashin at noserose.net>
> >>>> wrote:
> >>>>>>>>
> >>>>>>>> I'm not at a keyboard now, but strtol could do it all if you
> >>>> provide a
> >>>>>>>> non-NULL end pointer. (That will make sense on reading the strtol
> >>>> man
> >>>>>> page.)
> >>>>>>>> Just subtract the end from the start and compare to 5,after
> >>>> specifying
> >>>>>> base
> >>>>>>>> ten.
> >>>>>>>>
> >>>>>>>> On May 22, 2014 6:17 PM, "Robert L. Harris" <
> >>>> robert.l.harris at gmail.com>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Anyone have a very simple C program source that given a command
> >>>> of :
> >>>>>>>>>
> >>>>>>>>> ./Validate XXXXX
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> it will verify that XXXXX is a 5 digit integer and then execute
> >>>>>>>>>
> >>>>>>>>> system( "/bin/touch XXXXX");
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> There's much more to it but I'm hung up on this.  Unfortunately
> >>>> I'm
> >>>>>> not a
> >>>>>>>>> C person.
> >>>>>>>>>
> >>>>>>>>> Robert
> >>>>>>>>>
> >>>>>>>>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
:wq!
---------------------------------------------------------------------------
Robert L. Harris

DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for                      First One Should Be A Man
       no-one else.                                     - Manowar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140527/c574e596/attachment.html>


More information about the Ale mailing list