Solved

Executing a script as another user but retain owner permissions

Posted on 2001-07-11
18
281 Views
Last Modified: 2013-12-06
I have a background application script/program, moveit.exe say, that modifies files in a directory. It runs constantly but can be stopped and restarted.

At the moment, the program is owned by the user, fred say, and so are the directories and files.

What I would like to do is create application operators that do NOT have access to those directories and files but is still able to start/stop the background application, which would modify/move the said files.

I tried using the 'sticky bit' (chmod g+s moveit.exe) but this did not produce the desired effect - when running moveit.exe as jill who is in the same group as fred, the script is executed as jill which fails because jill does not have permissions on the directories and files the script manipulates...

Is there a way I can do this on my Sun Solaris 8 UNIX box?

Thanks.
0
Comment
Question by:Kong
  • 7
  • 4
  • 4
  • +2
18 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 6275920
Hi Kong,

    If your script is doing modify files ONLY, then you can run this script
as root, or let the script call up by cron as root, it will do the job for you.

   if you scripte CREATE new file as well, then you have to add something to the script, to remember which file is created by the script and at the end of the script change permission for the newly created files, so that the use can have FULL access to the file in their own dir.


   Cheers!

=============
yuzh
0
 
LVL 2

Author Comment

by:Kong
ID: 6275962
Thanks yuzh,

The script cannot be part of a cron job - the proposed Operator/s will start/stop the script.

Even if the script knows who is executing it, it MUST execute as the owner, fred say, because the Operator will not have write privileges on the files/directories the script modifies.

Thanks again.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 6276108
Hi Kong ,

    In this case, you can get sudo install in your system and let the user
use sudo to run the script. or

    You create another dummy super user on your systems (this one is
no good if you system is conneting to the internet, it might cause some
security problem). and write another wrapper script to let the user run the script. eg. if your original script name is myprog, you dummy super
user is uperman, then you put the following in the wrapper script:

#!/bin/sh
/bin/su superman -c "myprog"
exit 0

Regards
    yuzh
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 6276305
chmod u+s yourscript
chmod g+s yourscript

# and don't forget that each user who wants to start it, need read and execute permission to the path of yourscript
0
 
LVL 2

Author Comment

by:Kong
ID: 6279130
Thanks yuhz and ahoffmann, sorry about the delay in replay, I'm in EST timezone here.

It would not be feasible, security-wise, to create a seperate super-user and let the application user su to it and execute the script. This is a high security site hence this requirement...

Ahoffmann, that's what I tried and it didn't work as you'd expect. Try it...

Thanks again.
0
 
LVL 2

Author Comment

by:Kong
ID: 6279214
I think this is quite a complex question, I'll increase it to 200.

If what I need is not possible, can you provide a work-around that does not have a security loophole.

Thanks.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 6279290
Hi Kong ,

    In this case, you can try to install sudo on your system, and set the
user ONLY can use sudo for this script.

   Regards

==========
yuzh

0
 
LVL 2

Author Comment

by:Kong
ID: 6279303
Hi Yuzh, can you please provide more information on sudo, I haven't come across it before.

Thanks.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 6279706
Hi Kong ,

    The following webpage, will give some idea about sudo, about where to get it, how to install and configure sudo:
    http://www.kempston.net/solaris/sudo.html

    For more details about sudo, you can go to the sudo Main page,
which let you download the software, and it also has all the documentation about sudo, including README, FAQ etc.
    http://www.courtesan.com/sudo/

    I hope that this infor can help.

    Good luck!

==============
yuzh

0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 6279769
did you try following?

chmod u+s yourscript
chmod g+s yourscript
0
 

Expert Comment

by:tryno
ID: 6279807
Hi, I have been into the same problem.
On my OS, HP-UX, sticky bit does not work for shell-scripts, but it works for compiled binarys.
I make a lot of stuff with shellscripts, but I am not an experienced C programmer.
What I did was this:
I had a colleque help me to write a simple C program, called 'startprog'. This small program simply calls a shellscript, using first input variable as real progam name:
   startprog <shellscript>
On the 'startprog' I set sticky-bit, and here IT WORKS!
So, when the shellscript starts, the user ID is already changed.
Be aware of possible security problmes here!
If you design it just like this, it might be open for anyone to start anything.  If you need only one shellscript to be started this way, it is more secure to hard-code the script's name into the starting binary, like:
   start_my_script  (without scriptname in the arguments).

This solution works very well for me, hope you can use som hints from this!

0
 
LVL 2

Author Comment

by:Kong
ID: 6284370
ahoffman, I did try setting the sticky bit, it didn't work. Please read on.

tryno, I tried as you suggested and it still executed as the executee and not the owner as desired, please examine the scripts I wrote below:

$ more runit.c
#include <stdio.h>
#include <stdlib.h>

int main()
{
   system("doit.sh\n");
   return 0;
}
------------------------------
$ more doit.sh
#!/usr/bin/ksh

echo "hello" > done.txt
-------------------------------

$ ls -la
total 22
drwxrwsr-x   2 oracle   dba          512 Jul 16 10:30 .
drwxr-xr-x  12 oracle   dba         1024 Jul 12 16:54 ..
-rwxr-xr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 fred     dba            6 Jul 16 10:30 done.txt
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-rwxr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe

Compiling the C program, calling it runit.exe, setting the sticky bit, and executing it as fred it created the done.txt file with ownership of fred. I thought your workaround would have created done.txt as oracle...

yuzh, I am currently investigating sudo, thanks for the links.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6285150
as tryno said, Solaris' default behaviour is not to allow setuid on (shell)scripts. To allow this you must change kernel parameters (don't know which at the moment, sorry).
Also your runit.exe should do what you like if you make
   chmod u+s runit.exe
0
 

Expert Comment

by:tryno
ID: 6285284
Hello Kong,
maybe your runit.exe is just not "sticky enough":
Your program:  -rwxr-sr-x
My program:    -r-sr-sr-x
It seems that you are missing the first "s".
To achieve this, try: "chmod 6555 runit.exe"

-tryno
0
 
LVL 2

Author Comment

by:Kong
ID: 6288022
Excellent work guys! Thanks for that.
ahoffmann, my apologies for not paying attention to your question, after adding u+s along with g+s it worked! Please read below:

/export/home/oracle/tmp> ls -la
total 20
drwxr-xr-x   2 oracle   dba          512 Jul 17 10:15 .
drwxr-xr-x  12 oracle   dba         1024 Jul 17 09:54 ..
-rwsr-sr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-r-sr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe
/export/home/oracle/tmp> id
uid=100(oracle) gid=200(dba)
/export/home/oracle/tmp> su fred
/export/home/oracle/tmp> id
uid=115(fred) gid=200(dba)
/export/home/oracle/tmp> doit.sh
/export/home/oracle/tmp> ls -la
total 22
drwxr-xr-x   2 oracle   dba          512 Jul 17 10:16 .
drwxr-xr-x  12 oracle   dba         1024 Jul 17 09:54 ..
-rwsr-sr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 oracle   dba            6 Jul 17 10:16 done.txt
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-r-sr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe

I can only award the points to ahoffman since it was the most correct solution. Tryno, your last suggestion worked, however, a C program was not required for the solution (as per display above).
Thanks again all!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6290154
BTW,

Kong, hope you're used to the difference when using
    su fred
and
    su - fred
as user oracle. The first just changes the effective UID (oracle to fred in this case), the real UID still is oracle, while the last changes the effective *and* the real UID

So you need to check the SUID Script (doit.sh) with a user where real and effective UID is identical.
0
 
LVL 2

Author Comment

by:Kong
ID: 6291765
Thanks ahoffman, I tested that too, no problems there. Cheers.
0
 
LVL 3

Expert Comment

by:yas022100
ID: 6705806
Kong..

Within your C file... is below all you got?

#include <stdio.h>
#include <stdlib.h>

int main()
{
  system("doit.sh\n");
  return 0;
}

or some others are included within your code???

Thanx
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question