Solved

Executing a script as another user but retain owner permissions

Posted on 2001-07-11
18
277 Views
Last Modified: 2013-12-06
I have a background application script/program, moveit.exe say, that modifies files in a directory. It runs constantly but can be stopped and restarted.

At the moment, the program is owned by the user, fred say, and so are the directories and files.

What I would like to do is create application operators that do NOT have access to those directories and files but is still able to start/stop the background application, which would modify/move the said files.

I tried using the 'sticky bit' (chmod g+s moveit.exe) but this did not produce the desired effect - when running moveit.exe as jill who is in the same group as fred, the script is executed as jill which fails because jill does not have permissions on the directories and files the script manipulates...

Is there a way I can do this on my Sun Solaris 8 UNIX box?

Thanks.
0
Comment
Question by:Kong
  • 7
  • 4
  • 4
  • +2
18 Comments
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Hi Kong,

    If your script is doing modify files ONLY, then you can run this script
as root, or let the script call up by cron as root, it will do the job for you.

   if you scripte CREATE new file as well, then you have to add something to the script, to remember which file is created by the script and at the end of the script change permission for the newly created files, so that the use can have FULL access to the file in their own dir.


   Cheers!

=============
yuzh
0
 
LVL 2

Author Comment

by:Kong
Comment Utility
Thanks yuzh,

The script cannot be part of a cron job - the proposed Operator/s will start/stop the script.

Even if the script knows who is executing it, it MUST execute as the owner, fred say, because the Operator will not have write privileges on the files/directories the script modifies.

Thanks again.
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Hi Kong ,

    In this case, you can get sudo install in your system and let the user
use sudo to run the script. or

    You create another dummy super user on your systems (this one is
no good if you system is conneting to the internet, it might cause some
security problem). and write another wrapper script to let the user run the script. eg. if your original script name is myprog, you dummy super
user is uperman, then you put the following in the wrapper script:

#!/bin/sh
/bin/su superman -c "myprog"
exit 0

Regards
    yuzh
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
chmod u+s yourscript
chmod g+s yourscript

# and don't forget that each user who wants to start it, need read and execute permission to the path of yourscript
0
 
LVL 2

Author Comment

by:Kong
Comment Utility
Thanks yuhz and ahoffmann, sorry about the delay in replay, I'm in EST timezone here.

It would not be feasible, security-wise, to create a seperate super-user and let the application user su to it and execute the script. This is a high security site hence this requirement...

Ahoffmann, that's what I tried and it didn't work as you'd expect. Try it...

Thanks again.
0
 
LVL 2

Author Comment

by:Kong
Comment Utility
I think this is quite a complex question, I'll increase it to 200.

If what I need is not possible, can you provide a work-around that does not have a security loophole.

Thanks.
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Hi Kong ,

    In this case, you can try to install sudo on your system, and set the
user ONLY can use sudo for this script.

   Regards

==========
yuzh

0
 
LVL 2

Author Comment

by:Kong
Comment Utility
Hi Yuzh, can you please provide more information on sudo, I haven't come across it before.

Thanks.
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Hi Kong ,

    The following webpage, will give some idea about sudo, about where to get it, how to install and configure sudo:
    http://www.kempston.net/solaris/sudo.html

    For more details about sudo, you can go to the sudo Main page,
which let you download the software, and it also has all the documentation about sudo, including README, FAQ etc.
    http://www.courtesan.com/sudo/

    I hope that this infor can help.

    Good luck!

==============
yuzh

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
Comment Utility
did you try following?

chmod u+s yourscript
chmod g+s yourscript
0
 

Expert Comment

by:tryno
Comment Utility
Hi, I have been into the same problem.
On my OS, HP-UX, sticky bit does not work for shell-scripts, but it works for compiled binarys.
I make a lot of stuff with shellscripts, but I am not an experienced C programmer.
What I did was this:
I had a colleque help me to write a simple C program, called 'startprog'. This small program simply calls a shellscript, using first input variable as real progam name:
   startprog <shellscript>
On the 'startprog' I set sticky-bit, and here IT WORKS!
So, when the shellscript starts, the user ID is already changed.
Be aware of possible security problmes here!
If you design it just like this, it might be open for anyone to start anything.  If you need only one shellscript to be started this way, it is more secure to hard-code the script's name into the starting binary, like:
   start_my_script  (without scriptname in the arguments).

This solution works very well for me, hope you can use som hints from this!

0
 
LVL 2

Author Comment

by:Kong
Comment Utility
ahoffman, I did try setting the sticky bit, it didn't work. Please read on.

tryno, I tried as you suggested and it still executed as the executee and not the owner as desired, please examine the scripts I wrote below:

$ more runit.c
#include <stdio.h>
#include <stdlib.h>

int main()
{
   system("doit.sh\n");
   return 0;
}
------------------------------
$ more doit.sh
#!/usr/bin/ksh

echo "hello" > done.txt
-------------------------------

$ ls -la
total 22
drwxrwsr-x   2 oracle   dba          512 Jul 16 10:30 .
drwxr-xr-x  12 oracle   dba         1024 Jul 12 16:54 ..
-rwxr-xr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 fred     dba            6 Jul 16 10:30 done.txt
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-rwxr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe

Compiling the C program, calling it runit.exe, setting the sticky bit, and executing it as fred it created the done.txt file with ownership of fred. I thought your workaround would have created done.txt as oracle...

yuzh, I am currently investigating sudo, thanks for the links.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
as tryno said, Solaris' default behaviour is not to allow setuid on (shell)scripts. To allow this you must change kernel parameters (don't know which at the moment, sorry).
Also your runit.exe should do what you like if you make
   chmod u+s runit.exe
0
 

Expert Comment

by:tryno
Comment Utility
Hello Kong,
maybe your runit.exe is just not "sticky enough":
Your program:  -rwxr-sr-x
My program:    -r-sr-sr-x
It seems that you are missing the first "s".
To achieve this, try: "chmod 6555 runit.exe"

-tryno
0
 
LVL 2

Author Comment

by:Kong
Comment Utility
Excellent work guys! Thanks for that.
ahoffmann, my apologies for not paying attention to your question, after adding u+s along with g+s it worked! Please read below:

/export/home/oracle/tmp> ls -la
total 20
drwxr-xr-x   2 oracle   dba          512 Jul 17 10:15 .
drwxr-xr-x  12 oracle   dba         1024 Jul 17 09:54 ..
-rwsr-sr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-r-sr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe
/export/home/oracle/tmp> id
uid=100(oracle) gid=200(dba)
/export/home/oracle/tmp> su fred
/export/home/oracle/tmp> id
uid=115(fred) gid=200(dba)
/export/home/oracle/tmp> doit.sh
/export/home/oracle/tmp> ls -la
total 22
drwxr-xr-x   2 oracle   dba          512 Jul 17 10:16 .
drwxr-xr-x  12 oracle   dba         1024 Jul 17 09:54 ..
-rwsr-sr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 oracle   dba            6 Jul 17 10:16 done.txt
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-r-sr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe

I can only award the points to ahoffman since it was the most correct solution. Tryno, your last suggestion worked, however, a C program was not required for the solution (as per display above).
Thanks again all!
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
BTW,

Kong, hope you're used to the difference when using
    su fred
and
    su - fred
as user oracle. The first just changes the effective UID (oracle to fred in this case), the real UID still is oracle, while the last changes the effective *and* the real UID

So you need to check the SUID Script (doit.sh) with a user where real and effective UID is identical.
0
 
LVL 2

Author Comment

by:Kong
Comment Utility
Thanks ahoffman, I tested that too, no problems there. Cheers.
0
 
LVL 3

Expert Comment

by:yas022100
Comment Utility
Kong..

Within your C file... is below all you got?

#include <stdio.h>
#include <stdlib.h>

int main()
{
  system("doit.sh\n");
  return 0;
}

or some others are included within your code???

Thanx
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now