Re: Script-Permission

From: Aaron W Morris (aaronmorris@MINDSPRING.COM)
Date: Thu Feb 26 2004 - 13:30:12 EST

• Next message: Denny Watkins: ""sort" problem"
• Previous message: John Jolet: "Re: consumption memory"
• In reply to: Kumar, Praveen (cahoot): "Re: Script-Permission"
• Next in thread: Green, Simon: "Re: Script-Permission"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Kumar, Praveen (cahoot) wrote:
> Hi ,
> Sorry to tell this late...actually the requirement is not to run a
> script owned by root, but a non root user say user1 owns a script,which
> another non root user say user2 want execute with out having read permission
> for user2, as user1 stores some passwords in this script.
>
> TIA
> Praveen.K
>
> -----Original Message-----
> From: Bob Booth - CITES [mailto:booth@UIUC.EDU]
> Sent: 25 February 2004 21:24
> To: aix-l@Princeton.EDU
> Subject: Re: Script-Permission
>
>
> agreed!
>
> sudo is a good option, and you should also make sure that the script you
> propose *really* needs to be run as root. These types of scripts/wrappers
> are
> almost always targets of hackers with a binary editor.
>
> bob
>
> On Wed, Feb 25, 2004 at 03:11:13PM -0600, John Jolet wrote:
>
>>as the comments say....be very careful with this sort of mechanism. make
>
> sure
>
>>you've exhausted your other options...have you tried sudo?
>>
>>On Wednesday 25 February 2004 02:52 pm, you wrote:
>>
>>>Here is an example of a setuid C program wrapper:
>>>
>>>/*
>>>C program wrapper so that scripts can be run suid root.
>>>!!!USE at your own risk!!!
>>>*/
>>>
>>>#include <pwd.h>
>>>#include <sys/resource.h>
>>>
>>>main(argc, argv) int argc; char *argv[]; {
>>> struct passwd *pw = getpwnam("root");
>>> setpriority(PRIO_PROCESS, 0, -20);
>>> setuid(pw->pw_uid);
>>> execv("fullpath and name of your script here", argv);
>>> }
>>>
>>>On Wed, Feb 25, 2004 at 02:35:20PM -0600, John Jolet wrote:
>>>
>>>>if they can't read the script, how can the bash shell interpret it?
>
> the
>
>>>>only way to do this is with a setuid wrapper program. aix disallows
>>>>setuid shell scripts, so you'll most likely have to write it in c or
>>>>something.
>>>>
>>>>On Wednesday 25 February 2004 02:16 pm, you wrote:
>>>>
>>>>>Hi *,
>>>>> I have a script which has a password stored in it, and i
>>>>>want some of the identified users to be able to execute this script,
>>>>>The user is unable to execute after setting the execute bit on the
>>>>>script, but once i give read permission also to that user, he is
>
> able
>
>>>>>to do execute. pl let me know is there any way where i can allow the
>>>>>other user to execute but still disable him to read the script.
>>>>>
>>>>>TIA
>>>>>Praveen.K
>>>>>

You don't have to run a script as root with sudo, you can also specify a
user with sudo. Just specify in the sudoers file that each user can
only run the script as the user that owns the script.

--
Aaron W Morris <aaronmorris@mindspring.com> (decep)

• Next message: Denny Watkins: ""sort" problem"
• Previous message: John Jolet: "Re: consumption memory"
• In reply to: Kumar, Praveen (cahoot): "Re: Script-Permission"
• Next in thread: Green, Simon: "Re: Script-Permission"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:38 EDT