Visit Our UNIX and Linux User Community


File Permission


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users File Permission
# 1  
Old 03-26-2002
File Permission

I have written a shell script function, this function reads a encrypted a file and does some processing. I want to give execute permissions to others but I don't want to give read access to the shell script function. Since the shell script function know how to open the encrypted file so that's why I don't want to allow others to see the content of shell script file. I want this kind of permissions (rwxr-x--x myscript.ksh)
The problem is other users get permission problem, since shell can't read file so it can't execute as well.

Is there any easy method so that the others can execute but can't read the shell script file. I know writing C programme will solve this problem but I am not good in writing C programme.

Thanks
Sanjay
sanjay92
# 2  
Old 03-26-2002
Yeah, that's always a tricky one...

You can create a wrapper script for your original script with setuid permissions.

Ie: wrapperscript.sh has 4755 permissions and your readme.sh script has 111 permissions.

You just need to do some checksumming or validation when using setuid wrapper scripts as it can open up security holes if not done properly. A very simple example would be to make sure you use the fully qualified path to your file reader script...

That's all I can think of off the top of my head Smilie

Good luck.
# 3  
Old 03-27-2002
No Unix that I know of will execute a shell script setuid, even if the setuid bit is on.

You could write a wrapper script, though, using sudo, and if you set up the sudoers file correctly, you should be able to let them execute, but not read.
# 4  
Old 03-27-2002
Thanks Guys,
I was able to write a C wrapper script and it looks like it works perfect.


Sanjay


#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/**********************************************
This is the wrapper script
How to Compile : gcc f_getSQLPLUS.c -o f_getSQLPLUS
: chmod 4711 f_getSQLPLUS

***********************************************/

int main(int argc, char *argv[]) {
char argbuf[4096] = ". /opt/app/oracle/local/bin/oralib.ksh ; ";
int i;

for (i = 0; i < argc ; i++)
{
strcat(argbuf,argv[i]);
strcat(argbuf, " ");
}

//printf("%s", argbuf);
system(argbuf);
}



Quote:
Originally posted by LivinFree
No Unix that I know of will execute a shell script setuid, even if the setuid bit is on.

You could write a wrapper script, though, using sudo, and if you set up the sudoers file correctly, you should be able to let them execute, but not read.
sanjay92
# 5  
Old 03-29-2002
Quote:
No Unix that I know of will execute a shell script setuid, even if the setuid bit is on.
Here's an example. Script A and script B. Script A is set with 4755 "root : other" permissions, script B is set with 100 "root : other" permissions:

-rwsr-xr-x 1 root other 123 Mar 29 15:19 a
---x------ 1 root other 119 Mar 29 15:19 b

Script A is as follows:

#!/bin/ksh
echo "\nIn A"
echo "id --- \c"
id
echo "whoami --- \c"
/usr/ucb/whoami
echo "who am i --- \c"
who am i
./b

Last line, you'll see that A calls B.

Script B is as follows:

#!/bin/ksh
echo "\nin B"
echo "id --- \c"
id
echo "whoami --- \c"
/usr/ucb/whoami
echo "who am i --- \c"
who am i

Changing to login testme and attempting to run B:

$ ./b
ksh: ./b: cannot execute
$

And running A:

$ ./a

In A
id --- uid=100(testme) gid=20(testme) euid=0(root)
whoami --- root
who am i --- root pts/7 Mar 29 15:10 (machine hidden)

in B
id --- uid=100(testme) gid=20(testme) euid=0(root)
whoami --- root
who am i --- root pts/7 Mar 29 15:10 (machine name)
$

Fairly simple and quick test to setup Smilie. Notice the effective uid and read uid are different.

Glad you got your script working...
# 6  
Old 03-31-2002
Quote:
Originally posted by halfling
Fairly simple and quick test to setup Smilie. Notice the effective uid and read uid are different.
The use of /usr/ucb suggested that you are using SunOS. I tried a similiar script and verified that SunOS 5.6 does indeed support setuid shell scripts. Whoa! I didn't know that...

I tried the following script also setuid to root and invoked by an ordinary user:
Code:
#! /usr/bin/ksh
sleep 999
exit 0

And I tracked down the ksh command in "ps". It showed up as "/usr/bin/ksh /dev/fd/3". Any unix version with a fd psuedo-filesystem can use the same trick. This closes that nasty setuid shell script problem completely. This doesn't mean that setuid shell scripts are totally safe, but they are as safe as they would be if sudo invoked them.
# 7  
Old 04-02-2002
Well, golly, I stand corrected...

Previous Thread | Next Thread
Test Your Knowledge in Computers #606
Difficulty: Easy
MySQL 7.0 added the JSON utility function JSON_PRETTY(), which outputs an existing JSON value in an easy-to-read format.
True or False?

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

MV file with other permission

Hello All I have a file with rw-rw-r permission I need to mv the file into different directory (dir has rwx-rwx-rwx permission) with an others permission The application which is moving the file falls in other group I am getting the error mv cannot renamed permission denied ... (12 Replies)
Discussion started by: Pratik4891
12 Replies

2. Ubuntu

File permission

Hi Friends, I want to create one user on my server in such a way that when he logged in by ssh on server,he can able to access ONLY /var/www/drupal-6.2 this directory. Please tell me how should i do that. (4 Replies)
Discussion started by: paragnehete
4 Replies

3. Shell Programming and Scripting

File permission

I have an application with the user mark and another user james is trying to run the application and ending up with file permission issues. The user mark has set the umask as 002, I wanted to have a setting so that anyone can run the application without any file permission issues. Can anyone... (2 Replies)
Discussion started by: Muthuraj K
2 Replies

4. Shell Programming and Scripting

file permission

Hi All, https://www.unix.com/unix-advanced-expert-users/105758-chmod-parent-sub-directories.html I have to change permission for the directories and subdirectories in single command when googled i found some updates but i understand what is switch. If there is a command please... (2 Replies)
Discussion started by: thelakbe
2 Replies

5. Solaris

file permission

hi frnds can u explain /etc/shadow file have read and write permissions for root only but while normal user changes his passwd it also updated in that file whats the logic behind that. (2 Replies)
Discussion started by: sravan ega
2 Replies

6. Cybersecurity

file permission/acl: 2 users with write access on 1 file...

Hello, i need some help/advice on how to solve a particular problem. these are the users: |name | group | ---------- --------------- |boss | department1 | |assistant | department1 | |employee | department1 | |spy | department2 | this is the... (0 Replies)
Discussion started by: elzalem
0 Replies

7. UNIX for Dummies Questions & Answers

File Permission

Hi, When I listed one directory in Sun, it showed that : -rwsr-xr-x 1 root bsmbin 78004 Oct 21 2004 bsmprsm I don't know meaning of the character "s" in "rws" above. I have searched in Sun admin documents but no result. Would you please explain it ? :) Thank you so much. (1 Reply)
Discussion started by: msg098
1 Replies

8. Solaris

File permission

Hi Folks I have a file with the following permission. -r-sr-lr-- 1 apps appsgp 7612 Dec 19 2001 startup Any idea what is the in the group means? In my mind I believe I need to be root to set l in the group. Am I right? I don't have root access now. When I (as apps) a chmod... (2 Replies)
Discussion started by: hlee411
2 Replies

9. Shell Programming and Scripting

The file permission

there is a directory eg. /home/edp/ , all the files under this directory : 1. the file and directory owner is "user1" , 2. the permission is 644 I want everyone hv permission to overwrite all files and write a new file to it , but I want the file owner and permssion keep unchange , could... (1 Reply)
Discussion started by: ust
1 Replies

10. UNIX for Dummies Questions & Answers

The file permission

I have a file ( /tmp/file.txt ) , the file owner is user1:edp , the permission is 644 , I want everyone can overwrite the file but don't change the file owner and permssion , could suggest what can I do ? thx (2 Replies)
Discussion started by: ust
2 Replies

Featured Tech Videos