RE: HOWTO : protect a shell script?

Wed, 08 Jan 2003 05:31:30 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's a little C program I wrote once...  Try compiling & running
it.  You might need to add a "sytem("cd what/ever/directory")", or
maybe a table with a list of different files to be run...

#include <stdio.h>
#include <system.h>

void main(int noargs, char *args[])
{
        int     i;

        for(i=1 ; i<noargs ; i++)
                system(args[i]);

}

- -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 07, 2003 11:46 PM
To: [EMAIL PROTECTED]
Subject: Re: HOWTO : protect a shell script?


On Tue, Jan 07, 2003 at 05:32:08PM -0800, Todd A. Jacobs wrote:
> On Tue, 7 Jan 2003, Burke, Thomas G. wrote:
> 
> > I have some script shell (belong to root). I would like it to be
> > executable by every users but i don't want it to be readable by
> > others users.
> 
> Can't be done directly. A shell script *must* be readable (and
> *can* be executable), since it's interpreted by the shell.
> 
> If you absolutely must do this, though, you can create a wrapper
> script that's SUID to an account with permissions to run the
> "secret" script, but SUID scripts harbor their own dangers.

There is a problem with this, see the man page: "man 2 execve"
Near the end of the page is the following (in the Notes section):
  "Linux ignores the SUID and SGID bits on scripts."

This means you cannot create a script based SUID wrapper.  It can
still be 
done with a very small c program.  An example of one was posted to
this list
earlier today under this same topic..

- -- 
Jeff Kinz, Emergent Research,  Hudson, MA.  "[EMAIL PROTECTED]" 
"[EMAIL PROTECTED]" copyright 2002.  Use is restricted. Any use is an 
acceptance of the offer at http://users.rcn.com/jkinz/policy.html.



- -- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBPhwmKNPjBkUEZx5AEQIu7gCggiCJ09c95bzWxt8s9fzoGtQc9uIAmwQr
2rsTLk7GbHCmNaBLmbN6yivW
=kW3Q
-----END PGP SIGNATURE-----



-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to