Re: Allowing users to execute shell scripts without seeing password

From: Radoulov, Dimitre <cichomitiko_at_gmail.com>
Date: Sat, 18 Feb 2006 00:07:31 +0100
Message-ID: <016401c63416$ef0ed790$9100a8c0@IBME1D11967173>

> I think the setuid+sticky bit is definitely the solution :)

Correcting myself: it's sticky bit + shebang:

xxx:{root}:/app/oracle> cat tmp1.sh
#!/usr/bin/ksh
date
xxx:{root}:/app/oracle> chmod 4501 tmp1.sh xxx:{root}:/app/oracle> ls -l tmp1.sh
-r-s-----x 1 root other 20 Feb 17 23:51 tmp1.sh xxx:{root}:/app/oracle> su - oracle
$ ls -l tmp1.sh
-r-s-----x 1 root other 20 Feb 17 23:51 tmp1.sh $ ./tmp1.sh
Fri Feb 17 23:59:11 MET 2006
$ cat tmp1.sh
cat: cannot open tmp1.sh

Without shebang:

xxx:{root}:/app/oracle> cat tmp1.sh
#
#!/usr/bin/ksh
date
xxx:{root}:/app/oracle> su - oracle
$ ls -l tmp1.sh
-r-s-----x 1 root other 22 Feb 18 00:01 tmp1.sh $ ./tmp1.sh
ksh: ./tmp1.sh: cannot open
$ truss tmp1.sh

..................................................
brk(0x0003A2F0)                                 = 0
getuid()                                        = 250 [250]
getuid()                                        = 250 [250]
getgid()                                        = 200 [200]
getgid()                                        = 200 [200]
open64("./tmp1.sh", O_RDONLY)                   Err#13 EACCES
./tmp1.shwrite(2, " . / t m p 1 . s h", 9)              = 9
: write(2, " :  ", 2)                           = 2
./tmp1.shwrite(2, " . / t m p 1 . s h", 9)              = 9
: write(2, " :  ", 2)                           = 2
cannot openwrite(2, " c a n n o t   o p e n", 11)               = 11

write(2, "\n", 1)                               = 1
llseek(0, 0, SEEK_CUR)                          = 40735

_exit(1)

Dimitre

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Feb 17 2006 - 17:07:31 CST