|
|
Sponsored Content
Top Forums
UNIX for Advanced & Expert Users
Setting permissions for shell scripts
Post 302576857 by admin_xor on Sunday 27th of November 2011 02:37:34 AM
11-27-2011
Can you post "ls -l" output for the shell script, java file, and the config files being used?
Here's my thought:
1. Create a separate user account and group ID.
2. Change ownership of the shell script, java file, and the configs to this UID and GID.
3. Provide read and execute permission on the shell script and java file. Read+write (if modification is required) for the config files. Make sure "others" do not have any permission on the files.
3. Create another group and add the users who should run the shell script in that.
4. Create ACL and assign this group execute permission on the shell script.
Here's the expected result:
The user tries to execute the shell script. As he belongs to the second group and has execute permission on the shell script through ACL, he would be able to do so. Now, as the SGID bit set, the script will run with the owner GID which provides execute permission to the java code and read+write permission to the config files even though the user's UID does not have any explicit permission on them. You have to make sure that the shell script does not contain anything which would give shell escape to the user.
hope this helps!
Here's my thought:
1. Create a separate user account and group ID.
2. Change ownership of the shell script, java file, and the configs to this UID and GID.
3. Provide read and execute permission on the shell script and java file. Read+write (if modification is required) for the config files. Make sure "others" do not have any permission on the files.
3. Create another group and add the users who should run the shell script in that.
4. Create ACL and assign this group execute permission on the shell script.
Here's the expected result:
The user tries to execute the shell script. As he belongs to the second group and has execute permission on the shell script through ACL, he would be able to do so. Now, as the SGID bit set, the script will run with the owner GID which provides execute permission to the java code and read+write permission to the config files even though the user's UID does not have any explicit permission on them. You have to make sure that the shell script does not contain anything which would give shell escape to the user.
hope this helps!
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi,
I am setting up an area on a unix server where multiple people will be editing web pages. Can anyone tell me how to set it up the directory and subdirectories so that when a user creates a new file, it defaults to permissions of 664 or 775?
I've tried using umask but from what I can... (1 Reply)
Discussion started by: robbieg
1 Replies
2. AIX
Hi,
Please give me the detailed Differences between writing Unix Shell script and AIX Shell Scripts. Thanks in advance..... (0 Replies)
Discussion started by: haroonec
0 Replies
3. UNIX for Dummies Questions & Answers
Hi,
I'm in the process of writing a system (in Java) where a user can register to become a member of a website.
When they register, a collection of directories and files get created by the application.
For example if a user with the name 'fred' registered they would get the following
drwxr-xr-x... (0 Replies)
Discussion started by: andrewpmoore
0 Replies
4. UNIX for Dummies Questions & Answers
I've been told I need to set the permissions for everything in the htdocs folder to 777, but how do I go about doing this?
Thanks:o (9 Replies)
Discussion started by: thehaapyappy
9 Replies
5. UNIX for Dummies Questions & Answers
Hi all,
I have user called "Z". The home directory is /home/Z. I have another directory /home/Z/OP. Within /home/Z/OP, i have 2 directories
/home/Z/OP/OP1 and /home/Z/OP2.
I want to restrict access for Z to only access
/home/Z/OP and
/home/Z/OP1 and
/home/Z/OP2.
What kind of... (4 Replies)
Discussion started by: new2ss
4 Replies
6. UNIX for Dummies Questions & Answers
I'm trying to setup a directory structure for my staff which enables them full access to files in the directories with their name, and have access to anything in the shared directory. The directory structure looks like this:
root@www10 # ls -l
total 56
drwxr-xr-x 7 internal internal 4096... (3 Replies)
Discussion started by: v_greg
3 Replies
7. UNIX for Advanced & Expert Users
What would be a practical way of making sure files I upload to/edit in a particular directory on a server always have the correct group permissions?
I'm forgetful, so I try to automate things like chgrp'ing the files when I'm done. I could write a script to be run by cron. Is that the only way,... (2 Replies)
Discussion started by: mregine
2 Replies
8. Shell Programming and Scripting
I've got a number of people sending files to me in different directory structures, and users on many different groups who need access to these incoming paths.
My problem is that umask assumes a default of 666 for files. No execute bit, meaning that my users can't even see the incoming folders.... (2 Replies)
Discussion started by: Karunamon
2 Replies
9. Shell Programming and Scripting
Hello All,
I am in the process of finding the permissions on all the files that exists in two directories:
Dir1: PROD_Scripts/*
Dir2: STAGE_Scripts/*
Both the Directories have some shell and perl scripts respectively.
Step1: Finding all the Scripts that exists in PROD but Not in STAGE.... (2 Replies)
Discussion started by: filter
2 Replies
10. UNIX for Dummies Questions & Answers
I'm working in a linux server where wrappers are executed by multiple users of different groups. The log and output files are created with 554 permissions by default. This is stopping other users to run the wrappers unless the log and output files are deleted or given 777 permission. Setting SUID... (1 Reply)
Discussion started by: praveenpa
1 Replies
LEARN ABOUT PHP
setuid
SETUID(1) General Commands Manual SETUID(1) NAME
setuid - run a command with a different uid. SYNOPSIS
setuid username|uid command [ args ] DESCRIPTION
Setuid changes user id, then executes the specified command. Unlike some versions of su(1), this program doesn't ever ask for a password when executed with effective uid=root. This program doesn't change the environment; it only changes the uid and then uses execvp() to find the command in the path, and execute it. (If the command is a script, execvp() passes the command name to /bin/sh for processing.) For example, setuid some_user $SHELL can be used to start a shell running as another user. Setuid is useful inside scripts that are being run by a setuid-root user -- such as a script invoked with super, so that the script can execute some commands using the uid of the original user, instead of root. This allows unsafe commands (such as editors and pagers) to be used in a non-root mode inside a super script. For example, an operator with permission to modify a certain protected_file could use a super command that simply does: cp protected_file temp_file setuid $ORIG_USER ${EDITOR:-/bin/vi} temp_file cp temp_file protected_file (Note: don't use this example directly. If the temp_file can somehow be replaced by another user, as might be the case if it's kept in a temporary directory, there will be a race condition in the time between editing the temporary file and copying it back to the protected file.) AUTHOR
Will Deich local SETUID(1)