From owner-freebsd-questions Tue Jun 19 8:17:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 0509C37B407 for ; Tue, 19 Jun 2001 08:17:43 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 66490 invoked by uid 100); 19 Jun 2001 15:17:42 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15151.27926.269821.788368@guru.mired.org> Date: Tue, 19 Jun 2001 10:17:42 -0500 To: Eric Boucher Cc: questions@freebsd.org Subject: Re: TCL/TK: starting a process by root from a user In-Reply-To: <48884089@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Eric Boucher types: > Hi everybody, > > I want to know if something is possible to do with the > TCL language: I want to start a process that only root > have the permission to start. So I when the user start > my little TCL script, it will ask the normal user for > a password (not the root one of course) and if that > password is valid, it will map that password to the > one of the root and then start the process by root. So > the TCL script will contain the root password, but I > don't want that other user can see it, but can execute > it. Is there a way with the TCL language to do such a > thing? (Note: the process that I want to be started by > a user is a daemon). I'm pretty sure the answer is no, but the problem isn't tcl, it's the FreeBSD suid system. You're going about this all wrong for Unix. If you make the script mode 700 and executable by root, the sudo port should do pretty much what you want as is. You might take a look at that. If you really want to do it by hand, you'll need a C program that starts the tcl script - because FBSD ignored the suid bit on interpreted commands - and then have the script use getpwuid to get the encrypted password, get what the user thinks the password is, and test them. I can provide python showing how to do this, but I have no idea how you'd do it with tcl. It might be easiest to have the C program do the password checking, but then it's doing pretty much what sudo does. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message