Ping a Specific Port

Question

Senrabdet

Asked: 2013-10-05 09:19:29 +0800 CST2013-10-05 09:19:29 +0800 CST 2013-10-05 09:19:29 +0800 CST

How to make bash script executable for a user, but not readable

772

I'm trying to run a script at login that will execute for a regular user, but not be readable by that or other non-root users.

I've tried various things including chmod/chown combinations, as well as visudo. In all cases, I can either execute the script at login but still read it as the user, or not be able to read it but also not be able to execute it at login.

Have also tried shc which I can use, but that still leaves a file that while executable, can be copied/uploaded etc and decompiled.

Is this about me doing something wrong with chmod, chown, and visudo?

4 Answers

Voted

dawud · Answer 1 · 2013-10-05T10:33:51+08:00

First off, visudo(8) is just the recommended editor for the /etc/sudoers file. Nothing else. It is so, because it does some syntax checking, and basic rules parsing in order to warn you if you are just about to shoot yourself in the foot. It is not perfect, but it has proven to be very helpful.

That said, the following lines show how to grant execution permissions on a not readable file, without using SETUID tricks. I have used root and /root/bin/, but this is true for any other scenario where the user who is granted execution permissions does not have read access to the file.

The # symbol, as usual, means the commands are run by root, the $ symbol marks the lines run by the unprivileged user:

# adduser foo
...

# id foo
uid=1002(foo) gid=1002(foo) groups=1002(foo)

# grep foo /etc/sudoers
Defaults:foo    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin"
foo   ALL = (root) /root/bin/bar

# ls -lrt /root/bin/bar
-rwx------. 1 root root 38 Oct  4 20:22 /root/bin/bar

# cat /root/bin/bar
printf "Welcome to the Terrordome!\n"

# su - foo

$ id
uid=1002(foo) gid=1002(foo) groups=1002(foo)

$ sudo bar
Welcome to the Terrordome!

$ cat /root/bin/bar
cat: /root/bin/bar: Permission denied

user9517 · Answer 2 · 2013-10-05T09:27:34+08:00

user9517

2013-10-05T09:27:34+08:002013-10-05T09:27:34+08:00

I don't think you can stop people reading the file as they need to be able to read it to execute it.

2

Danila Ladner · Answer 3 · 2013-10-05T09:34:21+08:00

Danila Ladner

2013-10-05T09:34:21+08:002013-10-05T09:34:21+08:00

Bash must be able to read the content of the script.

You can put a setuid executable in front of bash script, like compiled c wrapper binary/executable, but then it is not bash already.

2

Sparr · Answer 4 · 2013-10-05T09:31:04+08:00

Sparr

2013-10-05T09:31:04+08:002013-10-05T09:31:04+08:00

Running a bash script involves running the bash interpreter (which will be a process), and that interpreter reading the file, then following the script inside the file. If a process owned by a user can read the file, then the user themselves can read the file.

This leaves the only option being allowing the user to spawn a process owned by root, and having that root-owned process read your script. This can be accomplished in some distros using the setuid functionality, but it is generally considered a bad idea and can lead to security holes if the script has any bugs.

1

How to make bash script executable for a user, but not readable

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?