I want to allow users to execute a bash script that contains sensitive data. Thus, I don't want them to have reading permissions. A 'direct' solution seems to be impossible, but I may have found a workaround in the expect man page:
Create the Expect script (that contains the secret data) as usual.
Make its permissions be 750 (-rwxr-x---) and owned by a trusted group,
i.e., a group which is allowed to read it. If necessary, create a new
group for this purpose. Next, create a /bin/sh script with permissions
2751 (-rwxr-s--x) owned by the same group as before.
I've tried to replicate this as follows:
In a folder, I have two scripts:
script.sh:
#!/bin/sh
echo "targetscript echo"
runscript.sh:
#!/bin/sh
echo "runscript echo"
groups
./script.sh
I gave them the rights as suggested in the man page:
groupadd scriptrunner
chown {myusername}:scriptrunner runscript.sh
chmod 2751 runscript.sh
chown root:scriptrunner script.sh
chmod 750 script.sh
The output of ls -l appears to be alright:
-rwxr-s--x. 1 {myusername} scriptrunner 51 Aug 25 13:04 runscript.sh
-rwxr-x---. 1 root scriptrunner 35 Aug 25 13:01 script.sh
However, when I run ./runscript.sh without root, I get the following error:
runscript echo
{myusername} wheel
./runscript.sh: line 4: ./script.sh: Permission denied
I don't know what went wrong. Can anyone help me?
I'll go back to the root problem as I think it's easier to solve without the expect hack.
So, what you need is having the execute permission on your script but not the reading permission. That is only possible for binaries (i.e. not interpreted scripts)- see details here https://unix.stackexchange.com/questions/34202/can-a-script-be-executable-but-not-readable
So maybe you'll be better off by first compiling your bash script into a binary (with shc - see here https://unix.stackexchange.com/questions/64762/how-to-convert-a-shell-script-into-a-binary-executable) and then set the execute only permission on the binary. Afterwards your users should be able to execute (but not read) the binary.
Related
I am running a bash script and these commands in the script will not work without sudo in front of them. The script.sh is located in a folder such as /jobs/script.sh
Example of commands I am trying to run in the script.sh -
mv /var/app/myapp /var/app/myapp.old
rm file.tar.gz
tar -xzf /home/ubuntu/file.tar.gz -C /var/app/
All the above work if I add sudo in front of them.
I am trying to figure out what permissions are required for them to work without adding sudo in the script.
I have tried giving the script.sh rwx permissions and changing owner to root.
I'm learning permissions in linux, so I'm new to this. Basically what permission should the script.sh have so that I dont have to use sudo in the bash file? Any insight would greatly help.
When you run sudo <some command>, then <some command> is run by the root user (Super user do). The reason you might need to run any command using sudo is because the permissions on the files that command reads/writes/executes are such that only the "Super user" (root) has that permission.
When executing the command mv fileA fileB, the executing user would need:
Write permission to fileB if fileB already existed
Write permission to the directory containing fileB
From what you said it’s most likely you want read and write permissions you can achieve this with chmod
Chmod +[permission] filename
(+ is used to add permission you can also use - instead to remove it)
Where permissions can be:
r —> read
w—> write
x —>excecute
... and more
FOR EXAMPLE: it seems you write permissions for the first file so :
chmod +w /var/app/myapp
Will fix problem
Shell script file dummy.sh with -rw-r--r-- permission, runs fine with below commands.
/usr/bin/sh dummy.sh
(OR)
/usr/bin/bash dummy.sh
But ends up with bash: ./dummy.sh: Permission denied error, when executed directly as below. What's the reason behind this?
./dummy.sh
Your Script needs to be marked as executable for your system. This is done by setting the "x" bit for either the owner, the group or the rest of the world.
See: Wikipedia - Unix permissions
By executing
chmod 755 dummy.sh
you will set read, write and execute permissions for the owner of the script and read and execute permissions for the group and the rest of the world.
Provide "execute" permission to your shell script, using either of the following options:
chmod 744 dummy.sh
chmod u+x dummy.sh
Do refer to chmod documentation
I am trying to get a start up script for OrientDB (a database) on Ubuntu to work.
This is currently the line that causes problems:
ORIENTDB_DIR="/usr/local/orientdb"
ORIENTDB_USER="www-user"
sudo -u $ORIENTDB_USER sh -c "cd \"$ORIENTDB_DIR/bin\"; /usr/bin/nohup server.sh 1>../log/orientdb.log 2>../log/orientdb.err &"
If I start the script, it results in this:
sh: 1: cannot create ../log/orientdb.log: Permission denied
Here's the setup:
www-user is in the sudoers file
server.sh and any the shell script posted above have execute privileges for root.
If I change the script to this:
sudo -u $ORIENTDB_USER sh -c "cd \"$ORIENTDB_DIR/bin\"; /usr/bin/nohup pwd 1>/home/www-user/test.log &", test.log shows /usr/local/orientdb/bin/ as the working directory.
/usr/local/orientdb/log exists but is an empty folder.
Given the above and the fact that I am using sudo to elevate the user, why is permission still denied?
You may have been misunderstanding sudo a bit — sudo does not necessarily elevate a user's rights; in fact, it may reduce the rights they have. When you pass sudo the -u flag, it will change to that user. If that user has more rights — root, for example (the default if -u is not passed) — then you'll get more rights. If the user has less rights — nobody, for example — you'll have less rights. You said that the log directory has these permissions:
drwxrwxr-x 2 root root 4096 Dec 11 10:13 /usr/local/orientdb/log
Yet, you're changing to the www-user user. The www-user user, unless it is part of the root group (unlikely), will not be able to write to that directory: it is only writable by the owner and group, and www-user is clearly not the root user and www-user is probably not part of the root group.
In short, don't pass -u (and its associated argument) if you want to elevate to root.
Try rewriting the last line of your script to:
sudo -u $ORIENTDB_USER sh -c "/usr/bin/nohup \"$ORIENTDB_DIR\"/bin/server.sh 1> \"$ORIENTDB_DIR\"/log/orientdb.log 2> \"$ORIENTDB_DIR\"/log/orientdb.err &"
If that still doesn't work, then www-user probably doesn't have write permission to /usr/local/orientdb/log (Note that you said /usr/local/orientdb/logs exists but is an empty folder: one of them has a s at the end)
I wrote a small bash script to test suid permission
$ cat phone.sh
#!/bin/sh
echo "abc" >> out.txt
$ ls -l out.txt phone.sh
-rw-r--r-- root wzj ... out.txt
-rwsr-xr-x root wzj ... phone.sh
$ ./phone.sh
./phone.sh: 2: cannot create out.txt: Permission denied
why? I thought I already set the suid permission , so i can run the phone.sh with root privilege to modify the out.txt file , but i just failed. Can anybody tell me where i did wrong please?
Most *nix OSes don't allow scripts to utilize SUID. Check out Vidar's blog entry on the subject. Perl scripts can use SUID, but as Vidar explains, it's due to how Perl is implemented. It appears Bash scripts simply won't run with SUID. Sorry I don't have a more useful answer for you, it looks like this is just "how things are".
I would like to write a shell script that sets up a mercurial repository, and allow all users in the group
"developers" to execute this script.
The script is owned by the user "hg", and works fine when ran. The problem comes when I try to run it
with another user, using sudo, the execution halts with a "permission denied" error, when it tries to source another file.
The script file in question:
create_repo.sh
#!/bin/bash
source colors.sh
REPOROOT="/srv/repository/mercurial/"
... rest of the script ....
Permissions of create_repo.sh, and colors.sh:
-rwxr--r-- 1 hg hg 551 2011-01-07 10:20 colors.sh
-rwxr--r-- 1 hg hg 1137 2011-01-07 11:08 create_repo.sh
Sudoers setup:
%developer ALL = (hg) NOPASSWD: /home/hg/scripts/create_repo.sh
What I'm trying to run:
user#nebu:~$ id
uid=1000(user) gid=1000(user) groups=4(adm),20(dialout),24(cdrom),46(plugdev),105(lpadmin),113(sambashare),116(admin),1000(user),1001(developer)
user#nebu:~$ sudo -l
Matching Defaults entries for user on this host:
env_reset
User user may run the following commands on this host:
(ALL) ALL
(hg) NOPASSWD: /home/hg/scripts/create_repo.sh
user#nebu:~$ sudo -u hg /home/hg/scripts/create_repo.sh
/home/hg/scripts/create_repo.sh: line 3: colors.sh: Permission denied
So the script is executed, but halts when it tries to include the other script.
I have also tried using:
user#nebu:~$ sudo -u hg /bin/bash /home/hg/scripts/create_repo.sh
Which gives the same result.
What is the correct way to include another shell script, if the script may be ran with a different user, through sudo?
What is probably happening is that the script tries to source the file colors.sh in the current directory and fails because it doesn't have permission to read your current directory because of sudo.
Try using source /home/hg/scripts/colors.sh.