Solution provided by Rudi is very easy to implement and it works even with the Perl file reader code I have.
Please understand that setuid perl still leaves you with the problem of protecting the perl script instead of protecting the env file. You'd be better off just sourcing and protecting your script and env file alike with sudo.
Last edited by Corona688; 09-03-2015 at 02:12 PM..
I was perusing your post number #3 in this thread and I noticed your Perl snippet. While it is not part of the topic here, I thought of mentioning a few bits in that snippet that might need attention.
Quote:
Code:
#!/usr/bin/suidperl
$envfilename=$ARGV[0];
open(FILEHANDLE,"<$envfilename") || die "Cannot Open file $envfilename";
while (<FILEHANDLE>)
{
$lineread=$_;
chop($lineread);
printf("%s\n",$lineread);
}
Since the year 2000, a modification was made to the way you can open a file in Perl, due to issues found in the way you have it right now.
The popular 2-arguments: global variable, "include redirection in the file name" was found troublesome.
A new way was introduced: 3-arguments with a scalar lexical variable.
Instead of:
Code:
open(FILEHANDLE,"<$envfilename") || die "Cannot Open file $envfilename";
It can be changed to:
Code:
open my $filehandle, '<', $envfilename or die ...
There is an error waiting to happen in that while loop:
The function chop() will happily and quietly remove the last character of at the end of line, whether is a newline character or not. The function chomp() prevents that.
The while loop block could be written, without loosing clarity, as:
Code:
while(my $lineread = <$filehandle>){
chomp($lineread);
do_something with $lineread
}
Thanks for your great Discoveries. Solution provided by Rudi is very easy to implement and it works even with the Perl file reader code I have. Solution provided by Don is also very helpful. However in my case since envfile.txt is being shared across multiple users, I would prefer to make local changes to my script by adding "" in the eval command as in
Code:
eval "`/tmp/filereader.pl /tmp/envfile.txt`"
Also Don I was curious how come in bash the ';' at the end of each line in /tmp/envfile.txt makes it work without "" in eval ? Each entry in my envfile.txt are anyway newline-separated or on a separate line. Isn't that good for bash to understand that each export command in the envfile.txt is a separate export command that i needs to process separately as it is separated by newline. What is the significance of ; as opposed to newline in bash ?
thanks
I do not maintain bash, so I can't say why putting in the semicolon works when a <newline> without the semicolon doesn't work.
If you compare the ksh -xv script trace output to the bash -xv script trace output when running your script, the difference in what the trace of the eval showed made me wonder if a semicolon would make a difference. So I tried it, and it worked. The bash trace output looked like it was executing the command:
both export commands clearly have to be evaluated by the the shell in order. And with those two export statements, the result should be the same whether or not the 2nd export is evaluated by the eval or processed as a stand-alone command. Furthermore, if you look at $BASEPATH after the eval completes (with or without the double quotes), you'll see that BASEPATH is set correctly. It just looks like bash executes the 2nd export command before it executes the 1st export command. And, that appears to me to be a bug.
Yes you are right. I just didnot communicate right. What I meant was that Linux supports setuid bit for C/C++ binaries / Perl scripts. It doesnot support it for Java programs or shell scripts.
So my idea is to remove read permission on the /tmp/envfile.txt for rest of world. One common user will be owner of the perl script and the envfile.txt.
So when any of the 50 users other than the owner will not be able to read the envfile.txt which has confidential information but they will be able to run the shell scripts and source it inside the shell scripts using the eval command because when eval runs, the perl script it will run as the owner and be able to read the hidden envfile.txt.
The example I have given for this discussion forum is just a dummy example. In reality we have around 300 shell scripts which source the envfile.txt and which several users other than the owner will run. With the sudo solution you provided, there would be two complexities:
(1) Each of the 50 users' userids' should be given sudo access to run the shell scripts as the owner id
(2) Sudo access has to be given to each of those 50 userids' to run each of the 300 scripts as the ownerid
This could get very cumbersome.
I agree that somebody can notice the eval "`/tmp/filereader.pl /tmp/envfile.txt`" command
within the shell scripts and be smart enough to run it from command line to view the envfile contents.
But at least it is slightly difficult than running a straight 'vi envfile.txt' that even beginners to UNIX OS are familiar
Yes you are right. I just didnot communicate right. What I meant was that Linux supports setuid bit for C/C++ binaries / Perl scripts.
suidperl was an ugly insecure hack. Was, past tense: It has been amputated from modern Perl. It is liable to disappear any time you update your system, so really shouldn't be depended on.
Quote:
So my idea is to remove read permission on the /tmp/envfile.txt for rest of world. One common user will be owner of the perl script and the envfile.txt
That's rather the long way around... Why not do that to the shell script itself? You'd need sudo to do so, but that's kind of the point. You need some setuid C executable somewhere to bridge the gap, it might as well be one that's written very, very carefully.
So you'd have your original script, under some user, which can just do . /path/to/totally/secret/env.file
I'm still missing the point. You want to have me execute a bunch of commands I can't read by placing those commands in a file (/tmp/envfile.txt) owned by someone other than me with permissions that don't allow me to read it. Then you create a set-UID program (in perl or C or C++). This set-UID program reads the file I can't normally read and feeds it into the eval command in my shell script:
Code:
eval `/tmp/filereader.pl /tmp/envfile.txt`
Presumably I can read my own shell script which contains the above eval command.
Why doesn't the shell script:
Code:
#!/bin/ksh
cat <<-EOF | tee $HOME/my_copy
$(/tmp/filereader.pl /tmp/envfile.txt)
EOF
copy the secret contents of your file onto my screen and into a file in my home directory?
If you want me to include your secret shell commands and run them as me in my shell script, you need to realize that your secret shell commands have to be readable by me.
Don,
Like you mentioned when "" is used with the eval command or when ; is placed after the BASEPATH assignment in envfile.txt, xtrace output shows that BASH executes the commands one after the other in the proper order. Else we cannot determine in what order it is executing looking at the xtrace output
As for the setuid solution I have come up with I understand that it is not a completely secure solution. Other users can view the envfile.txt contents by running the setuid script using eval `/tmp/filereader.pl /tmp/envfile.txt`.
But i just tbought until I come up with a more secure solution this would be at least safer than having no Setuid script at all and giving read permission to all to /tmp/envfile.txt and using . /tmp/envfile.txt inside the shell script.
When I refer to confidential information inside envfile.txt I am referring to database passwords etc. which are assigned to environment vairables that will be used within the script.
Corona,
As for your suggestion that i create a shell script filreader.sh owned by master account that has read access to envfile.txt and which is shielded from read/execute access by other users and which has inside it
Code:
. /tmp/envfile.txt
Now inside the main script test.sh that other userids can execute i include
Code:
sudo - masteraccount /somepath/filereader.sh
This would work.
But again it would expose a threat in that other user ids can use a simple hack in the form of a script like this which prints the contents of envfile.txt
Code:
set -x
sudo - masteraccount /somepath/filereader.sh
So the other optionwould be to add this in test.sh
Code:
. /tmp/envfile.txt
and then revoke read permission to other userids on /tmp/envfile.txt and revoke execute permission to other userids on test.sh and GRANT SUDO access to test.sh rather than create a separate filereader.sh and granting sudo access to the filereader.sh
So other users can then run
Code:
sudo - masteraccount test.sh
But I think if other users write a script like this with the set -x option, they can expose envfile.txt contents here as well. So I am not sure if this is secure as well.
"Debian 9 64x - LXDE"
I try to source a file from my parent directory:
#!/bin/bash
#source.bash
. ../links.bash but i get "file not found".
I tried . "../links.bash" and . '../links.bash'. I got on all methods the same result.
If i use the absolute path it works, but i don't want to... (4 Replies)
Why does dot sourcing of ksh functions behave so differently between AIX, Solaris, and Linux? How can I make Linux behave the way I want in the test I show below?
I have a library of interdependent functions I have developed and use in ksh in AIX. They also run in Solaris. Now I am migrating... (9 Replies)
I have tried with the following:
csh -c 'source ~/.cshrc; exec bash' # works perfectly
(cat ~/.cshrc; echo exec bash) | csh # not working
And, using sed, I successfully retrieved the environment variables from ~/.cshrc
sed -rn 's/setenv\s+(\S+)\s+(.*)$/export \1=\2/p' ~/.cshrc
but now... (6 Replies)
I am facing a very strange issue. I have script in ksh with #!/bin/ksh as shebang.
This script has function which sets the env variable before running other functions of the script. by
set_up_env()
{
CONFIG_FILE="/opt/app/tools/deepmarking/latestVersion/script/UploadEnv"
if
then
... (7 Replies)
Hi!
I wanted to simplify my bash prompt, so I edited my etc/bashrc file. I thought this was the file that would override any other env files. When I opened it, I saw that the way it was setup was not what my prompt looked like, although I forget exactly what was there. But i edited it the way I... (1 Reply)
Hi,
Could any one share the intelligence to track this problem.
I have any array BT_META_36 and it prints properly with contents of array.
# print "BT_META_36=${BT_META_36}"
# BT_META_36=cab3,cab4:HDS:052,07A cab3,cab4:HDS:052,07A
Now I have a BT_META_36 assigned to a variable.... (0 Replies)
first of all, thanks to all on this board, it has been a huge resource to answer most of my questions!
I am stuck on something that should really be simple, and was looking for some help.. I am using KSH on solaris and working on a script to move containers from server to server. Where i am... (4 Replies)
Hey all,
I have been using Ksh and in that I am setting Environment variables.
To set Env. Variables I have created my own file "BuildScript.sh" in which i have written :
export CLASSPATH=/somedir/some other dir/file:.
export PATH=/some dir/file:.
But when i am calling this... (4 Replies)
hi everyone
i've been reading learning the bash and there is somrthing i don;t
understand what does eval do
i know that it run a command or script twice but i don;t see in
what for cases i can use this
could somebody explain this to me (3 Replies)
I have a script "abc.sh" in /tmp which has exit 0 as its last line
when I run this script from /tmp/xyz/def.sh script as
. ../abc.sh
then the script executes but the control doesn't return to def.sh script for subsequent commands in def.sh
but if I invoke the abc.sh from inside the... (3 Replies)
