Script without read permission but execute the script

kingganesh04 · January 6, 2009, 12:39am

I have a script, except me no one can read the script but they can execute the script. Is it possible?

lorcan · January 6, 2009, 12:51am

No its not possible.

mosaic · January 6, 2009, 5:58am

I don't understand why impossible?

if the script's access permission is set as 411, whether the other users can execute the script?

matrixmadhan · January 6, 2009, 6:03am

Just 'x' perm is not enough to execute a script/bin both 'r' and 'x' are needed

It cannot run without reading it

mosaic · January 6, 2009, 6:51am

but i have tried on the platform AIX 5.3. it can be executed by another user in the same group. therefore i'm confused.

tsurko · January 6, 2009, 8:32am

I also think this is not possible. Here is a test on my linux machine:

root@bastila:~/work# cat hello.sh
#!/bin/sh

echo Hello
root@bastila:~/work# chmod 701 hello.sh
root@bastila:~/work# ls -l hello.sh
-rwx-----x 1 root root 22 2009-01-06 15:24 hello.sh
root@bastila:~/work# exit
exit
tsurko@bastila:~/work$ ./hello.sh
/bin/sh: Can't open ./hello.sh

jlliagre · January 6, 2009, 11:10am

It is possible by using the suid bit. The script will be run under your id and not the user's one which might be risky though.

# cat hi.ksh
#!/bin/ksh -p
echo hello
# chmod 04711 hi.ksh
# ls -l hi.ksh
-rws--x--x   1 jlliagre root          25 janv  6 17:02 hi.ksh
# su guest
$ ./hi.ksh
hello
$ cat hi.ksh
cat: cannot open hi.ksh: Permission denied

matrixmadhan · January 6, 2009, 12:22pm

though the user is guest here - its running as root

which means read permission is inevitable, only when it can read it can execute

jlliagre · January 7, 2009, 5:42am

Your statement is incorrect. The script is running as a different user, jlliagre here, not root.
The guest user is still unable to read the script he runs with the solution I suggest.

# cat hi.ksh
#!/bin/ksh -p
echo hello
id
# su - guest
$ /var/tmp/hi.ksh
hello
uid=10000(guest) gid=10000(guest) euid=20000(jlliagre)
$ cat /var/tmp/hi.ksh
cat: /var/tmp/hi.ksh: cannot open [permission denied]

bakunin · January 7, 2009, 7:47am

That might work - there is just one problem, though: scripts are NOT allowed to run suid, on no Unix platform. The reason is security.

I hope this helps.

bakunin

jlliagre · January 7, 2009, 8:05am

Do you mean Solaris isn't a Unix platform or are you talking about security best practices ?

kingganesh04 · January 8, 2009, 2:24am

It is not working.
Example

kganeshb@its04489:~/scripts $ cat ex.sh
#!/bin/ksh -p
echo hello
kganeshb@its04489:~/scripts $ sh ex.sh
hello
Different user
eravich1@its04489:/home/kganeshb/scripts $ ls -l ex.sh
-rws--x--x 1 kganeshb users 25 Jan 8 15:14 ex.sh
eravich1@its04489:/home/kganeshb/scripts $ ./ex.sh
/bin/ksh: ./ex.sh: Permission denied
eravich1@its04489:/home/kganeshb/scripts $ sh ex.sh
ex.sh: ex.sh: Permission denied
eravich1@its04489:/home/kganeshb/scripts $ cat ex.sh
cat: ex.sh: Permission denied

mosaic · January 8, 2009, 3:11am

Oh, it's my fault.

Script is really not working without r. But binary file can be executed without only x.

At the first time, I tried by a binary file, which results a wrong conclusion. sorry.

jlliagre · January 8, 2009, 8:58am

Kingganesh04, it would help if you tell what Unix variant you are using.

While many Unix OSes will ignore suid scripts, my example certainly works under Solaris and possibly under other Unix implementations.

Although root suid scripts are certainly risky and a bad security practice, I don't see that much a risk suid'ing to another non privileged user like I show.

methyl · January 8, 2009, 10:16am

If the permissions are 050 the owner cannot read or execute the script, but users in the same group can execute the script.