|
Home > Archive > Unix Programming > January 2004 > (non-root) setuid and permissions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
(non-root) setuid and permissions
|
|
| Lorin Hochstein 2004-01-23, 5:36 pm |
| Hello all,
I (a non-root user on a UNIX system) have a script that I would like
other people on the system to be able to execute, but I don't want them
to be able to read it. I know that you can accomplish this by invoking
it from an setuid wrapper program written in a compiled language (e.g.
C). The catch is that this script, when executed, should be able to
access all of the files that are accessible by the person calling the
script.
To summarize, the script can't be readable by the user, but it must be
somehow executable by the user (possibly through a wrapper), and when
running it should run as the user who invoked it.
To make the situation more concrete, I'll give a (somewhat contrived)
example. Let's say I come up with a nifty implementation of the "cat"
program in Python (call it cat.py). I want other people on the system to
be able to use my cat.py program, but I don't want them to know how it's
implemented. I can write a wrapper in C that has its SUID bit set and
invokes cat.py (call it cat.wrap), but then my friend won't be able to
run cat.wrap on his files that are not readable by me.
(The real reason for all this is that it's part of instrumenting a
compiler for a software engineering experiment so that a script is
invoked before the compiler is called. The subjects know that some data
is collected, but we don't want them to know exactly what for fear that
it will affect their behavior).
Is there any way around this, or will I just have to write my program in
a compiled language so that nobody can (easily) see what it's doing?
Lorin
| |
| Dragan Cvetkovic 2004-01-23, 5:36 pm |
| Lorin Hochstein <me@nospam.com> writes:
quote:
> Hello all,
>
> I (a non-root user on a UNIX system) have a script that I would like other
> people on the system to be able to execute, but I don't want them to be
> able to read it. I know that you can accomplish this by invoking it from an
> setuid wrapper program written in a compiled language (e.g. C). The catch
> is that this script, when executed, should be able to access all of the
> files that are accessible by the person calling the script.
Is that not the normal behaviour of programs? You don't need setuid for
that, the script will get user's access rights anyway.
[snip]quote:
>
> Is there any way around this, or will I just have to write my program in a
> compiled language so that nobody can (easily) see what it's doing?
>
Well, you can always use one of these hard-to-read script languages such as
Perl with all obfuscifications (sp?) turned on :-)
Bye, Dragan
--
Dragan Cvetkovic,
To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer
!!! Sender/From address is bogus. Use reply-to one !!!
| |
| Brian Raiter 2004-01-23, 5:36 pm |
| > To summarize, the script can't be readable by the user, but it mustquote:
> be somehow executable by the user (possibly through a wrapper), and
> when running it should run as the user who invoked it.
Two possibilities occur to me:
1. Convince someone in power to allow you to run the wrapper program
with set-userid root. As root, the wrapper could then execute your
(otherwise unreadable) script, which would immediately drop
permissions back to the real userid.
2. Let the script be world-readable, but in an obscured location. That
is, you give a parent directory execute-only permissions, and place in
there a directory with a long name composed of random characters, much
as you would select a password. The C wrapper would of course have the
readable-bit turned off, so the users couldn't get the path via
strings(1). Of course, if your script takes more than a few
milliseconds to run, the users could determine the script's location
using e.g. ps(1). I guess it depends on how astute/determined you
expect your users to be about the matter.
b
| |
| Lorin Hochstein 2004-01-23, 5:36 pm |
| Brian Raiter wrote:quote:
>
>
> Two possibilities occur to me:
>
> 1. Convince someone in power to allow you to run the wrapper program
> with set-userid root. As root, the wrapper could then execute your
> (otherwise unreadable) script, which would immediately drop
> permissions back to the real userid.
If the wrapper program is set-userid root, and it executes the script,
will the script automatically drop back to the real userid permissions,
or do I need to add some code to the script to make this happen?
(I'm under the vague impression that as a security precaution this
happens automatically on UNIX systems, but I'm not 100% sure).
quote:
>
> 2. Let the script be world-readable, but in an obscured location. That
> is, you give a parent directory execute-only permissions, and place in
> there a directory with a long name composed of random characters, much
> as you would select a password. The C wrapper would of course have the
> readable-bit turned off, so the users couldn't get the path via
> strings(1). Of course, if your script takes more than a few
> milliseconds to run, the users could determine the script's location
> using e.g. ps(1). I guess it depends on how astute/determined you
> expect your users to be about the matter.
>
This pair of solutions is quite nice, actually. I have to distribute
this code to several different people, and I can leave it up to them to
decide whether they want to have the wrapper set-userid root (which
would increase secrecy but would force the administrators to closely
inspect the wrapper code), or have them just use it as is and hope that
the users aren't too "curious".
Thanks for the advice,
Lorin
| |
| Brian Raiter 2004-01-23, 5:36 pm |
| > If the wrapper program is set-userid root, and it executes thequote:
> script, will the script automatically drop back to the real userid
> permissions, or do I need to add some code to the script to make
> this happen?
The latter; this is something the script will need to do explicitly.
b
|
|
|
|
|