I have a binary script along with a key file and required libs in a folder on my shell. There are 3 users on the shell currently whom I want to allow to run the binary script. Each user who runs it runs it as a separate instance/process. In order to start, the script is run by using an .sh file which specifies the location of the binary and its libs. For example, ./script.sh is the command.
I have the script currently in /home/script/user (will create also dir called /user2 for other user) where script is a new user I created for it. User runs the .sh from their homedir and then it automatically writes a config file in /home/script/user. I have been playing around with chmod because I don't want anyone to be allowed to steal the script or any of its contents inside the directory. To summarize, I only want users to be able to execute the binary and read the libs and key file as well as write their config to respective user directory in /home/script/. I don't want to allow them to delete, edit, copy, or download anything inside the /script directory. Currently only the binary can't be altered in anyway, but the key file and libs are able to be copied or downloaded. I couldn't figure out how to chmod the key and libs so that they can't be copied etc, only read to run binary successfully.
Please let me know how I can accomplish my permission goals and/or if there is another or easier way to do this. Thanks.
I believe you can achieve most of what you want with chmod and groups. So to allow a bunch of users to run a script you'd create a group, add them to it. Create a group and add users to it like this:
groupadd <groupname>
usermod -a -G <groupname> <username>
Then to make a file only executable by a group you'd run
chgrp <groupname> <file>
chmod g+x <file>
Unfortunately because of the way that chmod works you cannot allow a file to be read but not copied. This is because chmod works with read, write and execute permissions and if you can read you can copy.
Related
My question is how I can make one folder accessible when script running.
In this case lets call there is bob who copying his folder by using script to specific location and there is jeff who also sharing the same group as bob also he copying his file to there with using script.
The problem is that when I set file group they need write and execute permission and when I gave to them they are able to see each other file content if they know full path of the file.
To stop that I am thinking to completely deleting all permission on folder and only giving the permission when script running and doing copying process.
But problem is that when those users run the script and script try to chmod the file permission they are not going to be able to because they don't have enough permission to do it. Also if I add them on sudoers, they are going to be able to chmod and change anything as they want to change.
So I am so confused about how I can make the script change permission of folder and when copying completed turn back to previous permission
You should add a sudoers entry to allow ALL or the selected group to run a given script that does the copy to a restricted directory, with NOPASSWD to avoid the password prompt.
Then the users invoke
$ sudo /path/to/copy-to-restricted-dir files*
but users don't have access to restricted directory nor to chmod.
I want to index some files and keep a registry as part of a utility I am writing in BASH. So, my tool would go to a massive directory and write some essential information about each file it finds there to another file that I would like to call "myregistry." The file would only be rewritten if the user asks it to - since going through a large file structure and "indexing" it this way would take considerable time.
I want this file to not show up when the user does ls in the directory where it is contained. In addition, I want the user to have no privileges with it at all - the user should not be able to open it up on vim or anything, not even to just look at it.
However, if the user executes my script again, I want the user to have the option of getting some information out of the file from there. I also want the script to have the permissions to look at the file and add or delete things from it, if the user prompts it to. But the user should not be able to do anything to it directly.
How can I do this? It would require using chmod but I have no idea how to put it together.
I'm thinking:
# Enable write permission
# Do Something - ensure that no one else is writing to this file
# Disable write permission
On Unix, you're more or less on an equal footing with other processes that run under the same user. Whatever you can do, they can do. If you can hide and unhide something, so can they. Interpreted scripts need read permissions to run, so it's not like you can hide any secrets in your executable. If you can however, distribute your software as a binary, you'll be able to run without being readable. Then you can hardcode a secret into the binary and use it to encrypt and decrypt files. Users will be able to run your binary, but only the superuser will be able to get the secret and decrypt your registry. That's real security (against regular (nonroot) users) (especially if you manage to create and embed the secret at installation time).
Playing with dotfiles and permissions won't fool any advanced user.
Something like this work? write_index and read_index are your work.
cd massive_dir
TFILE=$(mktemp --tmpdir=.)
write_index >$TFILE
mv -f $TFILE .index
chmod a-rw .index
To read
chmod +r .index
read_index .index
chmod -r .index
Note that no locking is needed because of the temp file. mv is atomic.
I have a unix shell script file whose owner is "xyz" when run deletes some specific files.
I want to trigger this script to delete files in some other directory where the owner for the files to be deleted is different from the owner of the script. Is this possible? Is this possible to run this script as different user so that it can delete those new files?
EDIT : I use Autosys to periodically trigger this script.
You can chmod the files that need to be deleted first if you have sufficient rights. Afterwards your script, no matter what user it executes, will succeed.
Examples : http://en.wikipedia.org/wiki/Chmod
Usually you use sudo for that:
sudo -u ANOTHER_USER /path/to/the/script.sh
However, your current account needs proper permissions to do so. You can configure those permissions using the file /etc/sudoers.
You'll find a ton of articles out there how to use sudo. This for example: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch09:_Linux_Users_and_Sudo
I've finished a little useful script written in Bash, hosted on github. It's tested and documented. Now, I struggle with how to make it installable, i.e. where should I put it and how.
It seems other such projects use make and configure but I couldn't really find any information on how to do this for bash scripts.
Also I'm unsure into which directory to put my script.
I know how to make it usable by myself but if a user downloads it, I want to provide the means for him to install it easily.
There is no standard for this because most of the time, a project isn't a single script file. Also single file scripts don't need a build step (the script is already in an executable form) and configuration usually comes from an external config file (so no need for a configure script, either).
But I suggest to add a comment near the top of the file which explains what it does and how to install it (i.e. chmod +x + copy to folder).
Alternatively, you could create an installer script which contains your original script plus a header which asks the user where she wants to install the real script and which does everything (mkdir, set permissions with sudo, etc) but it really feels like overkill in your case.
If you want to make it installable so the package manager can easily install and remove (!) it, you need to look at the documentation for rpm or Debian packaging. These are the two most used package managers but they can't install a script per-user (so it would probably end up in /usr/bin)
instruct them to create a file named after the script in their home directory, chmod ug+x the file so it has executable permissions than put the script inside the file, don't forget the #!/bin/bash up top of the vim. This example is a script to copy a file, archive the copied file than remove the copied file leaving only the original file and the archived file.
#!/bin/bash
#### The following will copy the desired file
cp -r /home/wes/Documents/Hum430 /home/wes/docs
#### Next archives the copied file
tar -zcvf Hum430.tar.gz /home/wes/docs
#### and lastly removes the un-archived copy leaving only the original and the archived file.
rm -r /home/wes/docs
### run the file with ./filename (whatever the file is named)
I'm trying to write a script that will let me add to an existing directory structure and copy a bunch of files into various places within this. However, using mkdir ... and cp... commands alone wont work since I do not have permission to do so. I understand that this can be changed manually in the 'Get Info' window, but this script will be run by others and its whole point is to save time and hassle.
Is there a way of adding to this script to give me permission to copy files to BASEDIR/SUBDIRS?
A bit more detail on what I'm doing:
I want to add to the directory BASEDIR with a bunch of SUBDIRS then copy files into these subdirectories. The problem is that I am receiving these 'permission denied' errors right after the mkdir BASEDIR/SUBDIR1/SUBDIR2 command.
Thanks
The command
sudo chmod -R ugo=rwx BASEDIR/
gives all folder permissions to all users to BASEDIR and all its subdirectories