I have a bash script archive.sh which belongs to User1 and has the permissions as 755. Also there are two other scripts archive1.sh and archive2.sh in the same directory, belonging to the same user (User1) but with permissions 744. The scripts archive1.sh and archive2.sh are called from inside the script archive.sh.
Now this script archive.sh is executed from another user User2 in the same group as User1. Since archive.sh has 755 permissions, it can be executed without any problem. But inside that script there are calls to archive1.sh and archive2.sh which have 744 permissions. So if I call archive.sh from User2, then will it execute the two scripts inside it?
When I tried it, the child scripts are running correctly but I am not sure how
Depends how the two "children" are called.
./child.sh will fail because you don't have the right permissions.
/bin/sh child.sh would work because you only need read access.
Related
I want to allow users to execute a bash script that contains sensitive data. Thus, I don't want them to have reading permissions. A 'direct' solution seems to be impossible, but I may have found a workaround in the expect man page:
Create the Expect script (that contains the secret data) as usual.
Make its permissions be 750 (-rwxr-x---) and owned by a trusted group,
i.e., a group which is allowed to read it. If necessary, create a new
group for this purpose. Next, create a /bin/sh script with permissions
2751 (-rwxr-s--x) owned by the same group as before.
I've tried to replicate this as follows:
In a folder, I have two scripts:
script.sh:
#!/bin/sh
echo "targetscript echo"
runscript.sh:
#!/bin/sh
echo "runscript echo"
groups
./script.sh
I gave them the rights as suggested in the man page:
groupadd scriptrunner
chown {myusername}:scriptrunner runscript.sh
chmod 2751 runscript.sh
chown root:scriptrunner script.sh
chmod 750 script.sh
The output of ls -l appears to be alright:
-rwxr-s--x. 1 {myusername} scriptrunner 51 Aug 25 13:04 runscript.sh
-rwxr-x---. 1 root scriptrunner 35 Aug 25 13:01 script.sh
However, when I run ./runscript.sh without root, I get the following error:
runscript echo
{myusername} wheel
./runscript.sh: line 4: ./script.sh: Permission denied
I don't know what went wrong. Can anyone help me?
I'll go back to the root problem as I think it's easier to solve without the expect hack.
So, what you need is having the execute permission on your script but not the reading permission. That is only possible for binaries (i.e. not interpreted scripts)- see details here https://unix.stackexchange.com/questions/34202/can-a-script-be-executable-but-not-readable
So maybe you'll be better off by first compiling your bash script into a binary (with shc - see here https://unix.stackexchange.com/questions/64762/how-to-convert-a-shell-script-into-a-binary-executable) and then set the execute only permission on the binary. Afterwards your users should be able to execute (but not read) the binary.
Shell script file dummy.sh with -rw-r--r-- permission, runs fine with below commands.
/usr/bin/sh dummy.sh
(OR)
/usr/bin/bash dummy.sh
But ends up with bash: ./dummy.sh: Permission denied error, when executed directly as below. What's the reason behind this?
./dummy.sh
Your Script needs to be marked as executable for your system. This is done by setting the "x" bit for either the owner, the group or the rest of the world.
See: Wikipedia - Unix permissions
By executing
chmod 755 dummy.sh
you will set read, write and execute permissions for the owner of the script and read and execute permissions for the group and the rest of the world.
Provide "execute" permission to your shell script, using either of the following options:
chmod 744 dummy.sh
chmod u+x dummy.sh
Do refer to chmod documentation
Hi I made a script as root called whatever and saved it in /
I then made a new user adduser guest
when i log in as guest via su - guest and try to run the script with cd / && ./whatever
I get permission denied which is good, but all i have to do is bash /whatever and it works.
Is the correct sollution to chmod /bin/bash? No
If you want to allow a user to run a shell script, you have to give them both "execute" and "read" permissions on the file.
If you want to prevent a user from running a shell script, you have to remove the "read" permission. Even if the file is marked as executable, the user can not execute a non-readable script.
There is no way to allow a user to execute but not read a shell script.
Similarly, there is no way to allow a user to read but not to execute a shell script.
No!
Never touch the permissions on anything in /bin. You need to change the permissions on ./whatever. You'll need to add execute permissions to it - chmod u+x ./whatever. If you want it to run.
If however, you want to stop someone running it... well, you have to set it unreadable. Because there's no difference between a script you can read and a script you can 'run'. They're just sequences of commands.
I want to have my AppleScript application run a Python script with sudo, but I don't want the application to prompt the user for a password (our users do not have sudo privileges).
The Python script has been added to the /etc/sudoers file appropriately (ALL ALL=NOPASSWD: /path/to/script.py). In the terminal, I can do (as a regular, non-privileged user):
$ sudo ./script.py
and it runs perfectly well. But in AppleScript when you try to do:
do shell script "sudo ./script.py"
You of course get the "sudo: no tty present and no askpass program specified" error. But if you change it to:
do shell script "./script.py" with administrator privileges
AppleScript insists on presenting a popup window to ask for the password. I have also tried passing a null password to sudo with a pipe:
do shell script "echo '' | sudo -S ./script.py"
but that also does not work. (I think it tries to run sudo individually first and then pass the command through, which won't work because the user doesn't have sudo privileges!)
I need a solution where AppleScript will run the Python script with sudo. I would prefer the script stays unreadable and un-executable by average users for security reasons, and is only executed through the AppleScript. (I know that, hypothetically, the users could call sudo script.py and it would run, but that's assuming they even know about sudoers; I'm trying to keep it as secure as possible while still usable).
I'm still pretty new to AppleScript, so any help would be greatly appreciated! Thanks!
When I added ALL ALL=NOPASSWD: /Users/myusername/a to sudoers and ran echo $'#!/bin/bash\nsay $(ls ~root|head -n1)'>~/a;chmod +x ~/a, do shell script "sudo ~/a" ran the script as root without requiring a password.
I'm guessing the problem is that you specified the path like do shell script "sudo ./script.py". Try to use do shell script "sudo ~/script.py" instead. The default working directory is for do shell script is / and not ~/.
As the title says, I'm looking for a method to run a CGI script (running on APACHE on Ubuntu) with root privileges.
In particular, some commands of the script can be executed by the current user (apache), but other commands need root privileges (as iptables).
I can also write "sub-scripts" containing these privileged commands, but the problem of executing them with root privileges still remains.
I'm also confused about wether to write the CGI in C or PERL or bash script language. Any suggestion?
The best method is to use sudo for such scripts. You must specify which commands can run the script in this case.
In /etc/sudoers:
wwwdata ALL=(ALL) /usr/local/bin/allowed-operation
And then in the script:
sudo /usr/local/bin/allowed-operation