[prev in list] [next in list] [prev in thread] [next in thread] 

List:       aix-l
Subject:    Re: Script-Permission
From:       Aaron W Morris <aaronmorris () MINDSPRING ! COM>
Date:       2004-02-26 18:30:12
Message-ID: 403E3B34.7060300 () mindspring ! com
[Download RAW message or body]

Kumar, Praveen (cahoot) wrote:
> Hi ,
>        Sorry to tell this late...actually the requirement is not to run a
> script owned by root, but a non root user say user1 owns a script,which
> another non root user say user2 want execute with out having read permission
> for user2, as user1 stores some passwords in this script.
>
> TIA
> Praveen.K
>
> -----Original Message-----
> From: Bob Booth - CITES [mailto:booth@UIUC.EDU]
> Sent: 25 February 2004 21:24
> To: aix-l@Princeton.EDU
> Subject: Re: Script-Permission
>
>
> agreed!
>
> sudo is a good option, and you should also make sure that the script you
> propose *really* needs to be run as root.  These types of scripts/wrappers
> are
> almost always targets of hackers with a binary editor.
>
> bob
>
> On Wed, Feb 25, 2004 at 03:11:13PM -0600, John Jolet wrote:
>
>>as the comments say....be very careful with this sort of mechanism.  make
>
> sure
>
>>you've exhausted your other options...have you tried sudo?
>>
>>On Wednesday 25 February 2004 02:52 pm, you wrote:
>>
>>>Here is an example of a setuid C program wrapper:
>>>
>>>/*
>>>C program wrapper so that scripts can be run suid root.
>>>!!!USE at your own risk!!!
>>>*/
>>>
>>>#include <pwd.h>
>>>#include <sys/resource.h>
>>>
>>>main(argc, argv) int argc; char *argv[]; {
>>>   struct passwd *pw = getpwnam("root");
>>>   setpriority(PRIO_PROCESS, 0, -20);
>>>   setuid(pw->pw_uid);
>>>   execv("fullpath and name of your script here", argv);
>>>   }
>>>
>>>On Wed, Feb 25, 2004 at 02:35:20PM -0600, John Jolet wrote:
>>>
>>>>if they can't read the script, how can the bash shell interpret it?
>
> the
>
>>>>only way to do this is with a setuid wrapper program.  aix disallows
>>>>setuid shell scripts, so you'll most likely have to write it in c or
>>>>something.
>>>>
>>>>On Wednesday 25 February 2004 02:16 pm, you wrote:
>>>>
>>>>>Hi *,
>>>>>           I have a script which has a password stored in it, and i
>>>>>want some of the identified users to be able to execute this script,
>>>>>The user is unable to execute after setting the execute bit on the
>>>>>script, but once i give read permission also to that user, he is
>
> able
>
>>>>>to do execute. pl let me know is there any way where i can allow the
>>>>>other user to execute but still disable him to read the script.
>>>>>
>>>>>TIA
>>>>>Praveen.K
>>>>>

You don't have to run a script as root with sudo, you can also specify a
user with sudo.  Just specify in the sudoers file that each user can
only run the script as the user that owns the script.


--
Aaron W Morris <aaronmorris@mindspring.com> (decep)
[prev in list] [next in list] [prev in thread] [next in thread]