quan@hplabsb.HP.COM (Suu Quan) (12/07/89)
Ksh question: In "The KORN shell Command and Programming language", by Bolsky & Korn, Part I INTRODUCTION, page 6. "BETTER SECURITY. Ksh allows a system administrator to log and/or disable all priviledged scripts. On current UNIX systems, users need read permission to execute a script. With ksh, a system administrator can allow ksh to read and execute a script without giving a user permission to read it" Exactly what I want : have a file with permissions --x--x--x and have everyone execute it without being able to read it. I (actually 2 of us) cannot find in the whole book how this could be done. How do you do it ? -- Suu Quan (TELNET/415) 857-3594 quan@hpcmfs.corp.HP.COM HEWLETT-PACKARD, Corp Manuf Factory Systems quan@hpcmfs Palo Alto, CA 94304 suu quan /HP0080/04
jdpeek@rodan.acs.syr.edu (Jerry Peek) (12/07/89)
In article <5516@hplabsb.HP.COM> quan@hplabsb.HP.COM (Suu Quan) writes: > "BETTER SECURITY. Ksh allows a system administrator to log and/or > disable all priviledged scripts. On current UNIX systems, users need > read permission to execute a script. With ksh, a system administrator > can allow ksh to read and execute a script without giving a user > permission to read it" > > Exactly what I want : have a file with permissions --x--x--x > and have everyone execute it without being able to read it. > How do you do it ? We have ksh-i on our system. We didn't use the suid_exec program, but here's a paragraph from the ksh src/README file that explains it: The binary for ksh-i becomes the file named ./ksh which can be copied to where ever you install it. If you want ksh-i to be able to run setuid/gid shell scripts, or scripts without read permission, then it must be installed in the /bin directory, the /usr/bin directory, or the /usr/lbin directory and the name must end in sh. The program suid_exec must be installed in the /etc directory, must be owned by root, and must be a suid program. If you must install ksh-i in some other directory and want to be able to run setuid/setgid and execute only scripts, then you will have to change the source code file sh/suid_exec.c explicitly. --Jerry Peek; Syracuse University Academic Computing Services; Syracuse, NY jdpeek@rodan.acs.syr.edu, JDPEEK@SUNRISE.BITNET +1 315 443-3995
vinoski@apollo.HP.COM (Stephen Vinoski) (12/08/89)
In article <5516@hplabsb.HP.COM> quan@hplabsb.HP.COM (Suu Quan) writes: >Exactly what I want : have a file with permissions --x--x--x >and have everyone execute it without being able to read it. Page 237 of the KornShell book says: "Shell scripts are carried out as a separate invocation of ksh when: - The script has execute permission but does not have read permission." However, I couldn't get it to work (I'm running ksh88b). -steve | Steve Vinoski | Hewlett-Packard Apollo Div. | ARPA: vinoski@apollo.com | | (508)256-6600 x5904 | Chelmsford, MA 01824 | UUCP: ...!apollo!vinoski | | "My second wife isn't even born yet." |
cpcahil@virtech.uucp (Conor P. Cahill) (12/08/89)
In article <5516@hplabsb.HP.COM>, quan@hplabsb.HP.COM (Suu Quan) writes: > Ksh question: > > In "The KORN shell Command and Programming language", by Bolsky & Korn, > Part I INTRODUCTION, page 6. > > "BETTER SECURITY. Ksh allows a system administrator to log and/or > disable all priviledged scripts. On current UNIX systems, users need > read permission to execute a script. With ksh, a system administrator > can allow ksh to read and execute a script without giving a user > permission to read it" > > Exactly what I want : have a file with permissions --x--x--x > and have everyone execute it without being able to read it. > > How do you do it ? The manual is talking about "privileged scripts" otherwise known as setuid scripts. When ksh is invoked to run a script file that has setuid bits set, it invokes a setuid-root program which will then set it's effective ids as is appropriate. Since this is a setuid root program, it can read any file on the system reguardless of the modes of said file. Note that only the specal program to set uids can read whatever file, not the script itself. -- +-----------------------------------------------------------------------+ | Conor P. Cahill uunet!virtech!cpcahil 703-430-9247 ! | Virtual Technologies Inc., P. O. Box 876, Sterling, VA 22170 | +-----------------------------------------------------------------------+