Shell Programming and Scripting

I want to delete some files and directories owned by root from another different user in HP-UX 10.20.

The list of files looks like:

(user test)
bash-2.03$ ls -alrt
total 20
-rw-r--r-- 1 root root 55 Aug 27 2003 _index_jsp_2.dat
-rw-r--r-- 1 root root 4100 Aug 27 2003 _index.class
drwxr-xr-x 3 root other 512 Jan 22 13:33 ..
drwxr-xr-x 2 root root 512 Mar 5 10:53 error_5F_pages
drwxr-xr-x 4 root other 512 Mar 5 10:54 .
drwxr-xr-x 5 root root 512 Apr 12 19:24 jsp

I have programmed and compiled a C source as root that executes a shell and have set the s-uid-gid bit in order to execute them with the efective user root.

The C source sais:

/***********************************************/
#include <stdio.h>
#include <unistd.h>

int main(){

char *env[]={"PATH=/bin:/usr/bin",NULL};
char prog[]="/appli/test/shtest";

if (access(prog,X_OK)){
fprintf(stderr,"ERROR: %s \n",prog);
return(1);
}

system(prog);

perror("test");

return(1);
}


/***********************************************/

The shell (/appli/test/shtest):

rm -r /appli/test/www/*



-rw-r--r-- 1 root other 43 Apr 12 11:25 makefile
-rw-r--r-- 1 root other 328 Apr 12 11:47 test.c
-rwsrwsrwt 1 root other 6808 Apr 12 11:51 test2
-rwxrwxrwx 1 root other 74 Apr 13 08:39 shtest

The binary (test2) tries to execute shtest which is the shell that tries to remove these files.

When I execute it as "test" the system message says:

rm: /appli/test/www/_index.class: override protection 644 (yes/no)? yes
rm: /appli/test/www/_index.class not removed: Permission denied

The problem is that the directory where the list of files are stored is owned by root and the user isn't allowed for writing in it:

drwxr-xr-x 4 root other 512 Mar 5 10:54 www

It's not possible to change this permissons because they are automatically generated and we don't want to use a cron task which changes these permissons because there are thousands of files of this kind that we want to delete.

Do you know if I can remove these files and directories with a non-root (nor system...) user?

Thanks in advance

What you are trying to do is very dangerous from a security standpoint. shtest is obviously a shell script of some kind. That is bad enough by itself, but you actually have shtest world-writable.

Rather than executing shtest, your c program should do all of the work itself. Deleting some files is not hard.

But the reason this is failing is that modern shells try to prohibit what you are trying. If they find themselves running a script and notice that the effective uid does not match the real uid, they reset the effective uid.

You can defeat that by adding a single line of code:
setuid(0);
to your c program prior to invoking system(). Mark my words though. Youll probably regret doing so later.

It worked. I just added the line setuid(0) and it worked.

In fact the permissions you could see in the example are not those which will stay in the future. It's just a test. The reason why I ask here is also to do it in a safe way.

Thank you very much