Shell Programming and Scripting

Hi all,

I am OpenBSD newbie and currently need to manage some OpenBSD firewalls running pf. The OpenBSD version is 4.8

As the other sys admins are not so familiar with OpenBSD, so I have an idea across in my mind on how to minimize the root account usage and other unnecessary access and make the configuration/change of OpenBSD firewalls easier.

Let say if the IT Admin would like to manage the firewall from either console or ssh and they don't need to su in to do some config:

OpenBSD/i386

login: user1
password: password1

after they inputted the password and click enter, there will be another menu coming out on the screen instead of normal shell prompt ($)

>>>Welcome to the OpenBSD, please choose the option to configure:
1>Configure/Change IP address and subnet mask
2>View ifconfig
3>Configure/Change default route
4>Add/Remove static route
5>View routing table
6>Add/Change Name Server IP address
7>Add/Modify pf rule
8>Check pfstatus
9>Backup OpenBSD pf config
10>Quit

I really have no idea how to do that and the users are not allowed to access ($) or (#) at all to minimize human error(eg: accidentally delete config file etc) My intention is only giving them the necessary access to do the daily job.

Have you guys ever done the task like what I would like to do?
Can you give me the direction and hints on how to do that?

Regards,
Stefan

First thing is to make yourself a test account, and change the login shell to run your script.

Hi, stefan:

You'll have to setup sudo to allow the user your script runs as to use privileged pfctl features (same for other commands to alter the system's routing table, network interfaces, dns configuration, etc), unless you intend to run a suid shell script (the mere mention of it ... *gasp*).

Regards and welcome to the forum,
Alister

I think setuid shell script is almost impossible, as the dynamic lib locations are not compiled into the shells!

That suid sh script remark was intended as a joke, particularly given the platform in question. You're correct regarding the near impossiblity, but I believe you're reason is mistaken. Most modern UNIX platforms simply do not honor the suid bit for interpreted files.

I'm not certain what your dynamic library location remark means, unless you are referring to the fact that the loader ignores LD_LIBRARY_PATH and LD_PRELOAD for suid binaries. If so, that's an unrelated security issue.

Regards,
Alister

No, that was it, when a ksh script is started without LD_LIBRARY_PATH, it dies, and the same for any other common interpreter. I guess if you did a static link or compiled in a path with -R or whatever, then it might work. You seem to think there is special code in exec() to not allow both interpreter #! files and setuid, but I think the library path was sufficient is stopping the foolish.

What value does it demand for LD_LIBRARY_PATH, and why?