Solved

Executing a script as another user but retain owner permissions

Posted on 2001-07-11
18
283 Views
Last Modified: 2013-12-06
I have a background application script/program, moveit.exe say, that modifies files in a directory. It runs constantly but can be stopped and restarted.

At the moment, the program is owned by the user, fred say, and so are the directories and files.

What I would like to do is create application operators that do NOT have access to those directories and files but is still able to start/stop the background application, which would modify/move the said files.

I tried using the 'sticky bit' (chmod g+s moveit.exe) but this did not produce the desired effect - when running moveit.exe as jill who is in the same group as fred, the script is executed as jill which fails because jill does not have permissions on the directories and files the script manipulates...

Is there a way I can do this on my Sun Solaris 8 UNIX box?

Thanks.
0
Comment
Question by:Kong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 4
  • +2
18 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 6275920
Hi Kong,

    If your script is doing modify files ONLY, then you can run this script
as root, or let the script call up by cron as root, it will do the job for you.

   if you scripte CREATE new file as well, then you have to add something to the script, to remember which file is created by the script and at the end of the script change permission for the newly created files, so that the use can have FULL access to the file in their own dir.


   Cheers!

=============
yuzh
0
 
LVL 2

Author Comment

by:Kong
ID: 6275962
Thanks yuzh,

The script cannot be part of a cron job - the proposed Operator/s will start/stop the script.

Even if the script knows who is executing it, it MUST execute as the owner, fred say, because the Operator will not have write privileges on the files/directories the script modifies.

Thanks again.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 6276108
Hi Kong ,

    In this case, you can get sudo install in your system and let the user
use sudo to run the script. or

    You create another dummy super user on your systems (this one is
no good if you system is conneting to the internet, it might cause some
security problem). and write another wrapper script to let the user run the script. eg. if your original script name is myprog, you dummy super
user is uperman, then you put the following in the wrapper script:

#!/bin/sh
/bin/su superman -c "myprog"
exit 0

Regards
    yuzh
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 6276305
chmod u+s yourscript
chmod g+s yourscript

# and don't forget that each user who wants to start it, need read and execute permission to the path of yourscript
0
 
LVL 2

Author Comment

by:Kong
ID: 6279130
Thanks yuhz and ahoffmann, sorry about the delay in replay, I'm in EST timezone here.

It would not be feasible, security-wise, to create a seperate super-user and let the application user su to it and execute the script. This is a high security site hence this requirement...

Ahoffmann, that's what I tried and it didn't work as you'd expect. Try it...

Thanks again.
0
 
LVL 2

Author Comment

by:Kong
ID: 6279214
I think this is quite a complex question, I'll increase it to 200.

If what I need is not possible, can you provide a work-around that does not have a security loophole.

Thanks.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 6279290
Hi Kong ,

    In this case, you can try to install sudo on your system, and set the
user ONLY can use sudo for this script.

   Regards

==========
yuzh

0
 
LVL 2

Author Comment

by:Kong
ID: 6279303
Hi Yuzh, can you please provide more information on sudo, I haven't come across it before.

Thanks.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 6279706
Hi Kong ,

    The following webpage, will give some idea about sudo, about where to get it, how to install and configure sudo:
    http://www.kempston.net/solaris/sudo.html

    For more details about sudo, you can go to the sudo Main page,
which let you download the software, and it also has all the documentation about sudo, including README, FAQ etc.
    http://www.courtesan.com/sudo/

    I hope that this infor can help.

    Good luck!

==============
yuzh

0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 6279769
did you try following?

chmod u+s yourscript
chmod g+s yourscript
0
 

Expert Comment

by:tryno
ID: 6279807
Hi, I have been into the same problem.
On my OS, HP-UX, sticky bit does not work for shell-scripts, but it works for compiled binarys.
I make a lot of stuff with shellscripts, but I am not an experienced C programmer.
What I did was this:
I had a colleque help me to write a simple C program, called 'startprog'. This small program simply calls a shellscript, using first input variable as real progam name:
   startprog <shellscript>
On the 'startprog' I set sticky-bit, and here IT WORKS!
So, when the shellscript starts, the user ID is already changed.
Be aware of possible security problmes here!
If you design it just like this, it might be open for anyone to start anything.  If you need only one shellscript to be started this way, it is more secure to hard-code the script's name into the starting binary, like:
   start_my_script  (without scriptname in the arguments).

This solution works very well for me, hope you can use som hints from this!

0
 
LVL 2

Author Comment

by:Kong
ID: 6284370
ahoffman, I did try setting the sticky bit, it didn't work. Please read on.

tryno, I tried as you suggested and it still executed as the executee and not the owner as desired, please examine the scripts I wrote below:

$ more runit.c
#include <stdio.h>
#include <stdlib.h>

int main()
{
   system("doit.sh\n");
   return 0;
}
------------------------------
$ more doit.sh
#!/usr/bin/ksh

echo "hello" > done.txt
-------------------------------

$ ls -la
total 22
drwxrwsr-x   2 oracle   dba          512 Jul 16 10:30 .
drwxr-xr-x  12 oracle   dba         1024 Jul 12 16:54 ..
-rwxr-xr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 fred     dba            6 Jul 16 10:30 done.txt
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-rwxr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe

Compiling the C program, calling it runit.exe, setting the sticky bit, and executing it as fred it created the done.txt file with ownership of fred. I thought your workaround would have created done.txt as oracle...

yuzh, I am currently investigating sudo, thanks for the links.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6285150
as tryno said, Solaris' default behaviour is not to allow setuid on (shell)scripts. To allow this you must change kernel parameters (don't know which at the moment, sorry).
Also your runit.exe should do what you like if you make
   chmod u+s runit.exe
0
 

Expert Comment

by:tryno
ID: 6285284
Hello Kong,
maybe your runit.exe is just not "sticky enough":
Your program:  -rwxr-sr-x
My program:    -r-sr-sr-x
It seems that you are missing the first "s".
To achieve this, try: "chmod 6555 runit.exe"

-tryno
0
 
LVL 2

Author Comment

by:Kong
ID: 6288022
Excellent work guys! Thanks for that.
ahoffmann, my apologies for not paying attention to your question, after adding u+s along with g+s it worked! Please read below:

/export/home/oracle/tmp> ls -la
total 20
drwxr-xr-x   2 oracle   dba          512 Jul 17 10:15 .
drwxr-xr-x  12 oracle   dba         1024 Jul 17 09:54 ..
-rwsr-sr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-r-sr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe
/export/home/oracle/tmp> id
uid=100(oracle) gid=200(dba)
/export/home/oracle/tmp> su fred
/export/home/oracle/tmp> id
uid=115(fred) gid=200(dba)
/export/home/oracle/tmp> doit.sh
/export/home/oracle/tmp> ls -la
total 22
drwxr-xr-x   2 oracle   dba          512 Jul 17 10:16 .
drwxr-xr-x  12 oracle   dba         1024 Jul 17 09:54 ..
-rwsr-sr-x   1 oracle   dba           41 Jul 16 10:24 doit.sh
-rw-r--r--   1 oracle   dba            6 Jul 17 10:16 done.txt
-rw-r--r--   1 oracle   dba           93 Jul 16 10:29 runit.c
-r-sr-sr-x   1 oracle   dba         5916 Jul 16 10:29 runit.exe

I can only award the points to ahoffman since it was the most correct solution. Tryno, your last suggestion worked, however, a C program was not required for the solution (as per display above).
Thanks again all!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6290154
BTW,

Kong, hope you're used to the difference when using
    su fred
and
    su - fred
as user oracle. The first just changes the effective UID (oracle to fred in this case), the real UID still is oracle, while the last changes the effective *and* the real UID

So you need to check the SUID Script (doit.sh) with a user where real and effective UID is identical.
0
 
LVL 2

Author Comment

by:Kong
ID: 6291765
Thanks ahoffman, I tested that too, no problems there. Cheers.
0
 
LVL 3

Expert Comment

by:yas022100
ID: 6705806
Kong..

Within your C file... is below all you got?

#include <stdio.h>
#include <stdlib.h>

int main()
{
  system("doit.sh\n");
  return 0;
}

or some others are included within your code???

Thanx
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CPU monthly average? 12 148
SSH commands for Nas4free 21 542
LastLogonTimeStamp Attribute 7 49
How do disable only TLSv1.0 in Oracle Sun One 7.1 Server 9 148
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question