Security Guide > Security Guide > Security Features on UNIX > Access Control with Setuid (UNIX) > Example: Refer to Setuid in an Embedded SQL Application
Was this helpful?
Example: Refer to Setuid in an Embedded SQL Application
An example is shown here that can be used in embedded SQL application programs that are made accessible by the Setuid bit. It checks that the connections are in place before allowing the program to be run.
The program requires that the login of the program owner be known (in this case, fred, defined in line 2. It uses the UNIX getpwnam function to fetch the effective user ID from the passwd structure. For details, see the UNIX documentation.
The program checks to see if the caller can access the database, printing an error message if not. This can occur, for example, if a chmod command has not been issued on the application program, as described in the previous section.
The application code appears between the CONNECT and DISCONNECT statements. In the sample code that follows, the action of the program is to print the effective user ID:
#include  <pwd.h>
#define   DBA       "fred"
/* Example to demonstrate how to run an embedded SQL program 
** in such a way that there is no requirement for the users to have 
** privileges on the tables accessed by the program.
** This example assumes the program will access tables owned by the 
** DBA, but this scheme could be used for any user. Additionally, assume 
** the DBA has granted no privileges.
** This program checks that it is running setuid to the DBA.
** If it is, it does a database connect.
** If it is not running setuid to the DBA, 
** it gives an error message to the user and exits.
** This check is done simply as a convenience to the user.
** If this check isn’t done and the user is a valid INGRES user, 
** he or she can still connect to the database, 
** but will not be able to access any of the data.
** This would be frustrating to the user, 
** so the program stops them before they get connected.
** For this scheme to work, the executable MUST be setuid to the DBA.
  EXEC SQL begin declare section;
    char  username[32];
    char  dbname[32];
  EXEC SQL end declare section;
  int   user;
  int   ret_val = 0;
  struct  passwd   *getpwnam();
  struct  passwd   *password_entry;
  password_entry = getpwnam(DBA);
  /* Check to see if the user interface is running setuid 
  ** to the dba (fred).
  ** If not, give the user a message and abort. 
  ** If so, connect to the database.
  if ((user = geteuid()) != (password_entry->pw_uid))
    printf("Error starting application. Contact the DBA.\n");
    ret_val = 1;
  EXEC SQL connect dbname;
  /* The following query will demonstrate that the dbms connection 
  ** was done by user fred, not the actual user. 
EXEC SQL select username() into :username;
  printf("User is %s\n", username);
  EXEC SQL disconnect;
Last modified date: 01/30/2023