0

I'm trying to run a script at login that will execute for a regular user, but not be readable by that or other non-root users.

I've tried various things including chmod/chown combinations, as well as visudo. In all cases, I can either execute the script at login but still read it as the user, or not be able to read it but also not be able to execute it at login.

Have also tried shc which I can use, but that still leaves a file that while executable, can be copied/uploaded etc and decompiled.

Is this about me doing something wrong with chmod, chown, and visudo?

Improve this question

4 Answers 4

Reset to default
4

First off, visudo(8) is just the recommended editor for the /etc/sudoers file. Nothing else. It is so, because it does some syntax checking, and basic rules parsing in order to warn you if you are just about to shoot yourself in the foot. It is not perfect, but it has proven to be very helpful.

That said, the following lines show how to grant execution permissions on a not readable file, without using SETUID tricks. I have used root and /root/bin/, but this is true for any other scenario where the user who is granted execution permissions does not have read access to the file.

The # symbol, as usual, means the commands are run by root, the $ symbol marks the lines run by the unprivileged user:

# adduser foo ... # id foo uid=1002(foo) gid=1002(foo) groups=1002(foo) # grep foo /etc/sudoers Defaults:foo secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin" foo ALL = (root) /root/bin/bar # ls -lrt /root/bin/bar -rwx------. 1 root root 38 Oct 4 20:22 /root/bin/bar # cat /root/bin/bar printf "Welcome to the Terrordome!\n" # su - foo $ id uid=1002(foo) gid=1002(foo) groups=1002(foo) $ sudo bar Welcome to the Terrordome! $ cat /root/bin/bar cat: /root/bin/bar: Permission denied
Improve this answer
1
  • Thanks for all the input - will give "dawud's" suggestion a try, and get back. Commented Oct 4, 2013 at 23:54
2

I don't think you can stop people reading the file as they need to be able to read it to execute it.

Improve this answer
2

Bash must be able to read the content of the script.

You can put a setuid executable in front of bash script, like compiled c wrapper binary/executable, but then it is not bash already.

Improve this answer
1

Running a bash script involves running the bash interpreter (which will be a process), and that interpreter reading the file, then following the script inside the file. If a process owned by a user can read the file, then the user themselves can read the file.

This leaves the only option being allowing the user to spawn a process owned by root, and having that root-owned process read your script. This can be accomplished in some distros using the setuid functionality, but it is generally considered a bad idea and can lead to security holes if the script has any bugs.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.