Re: Allowing users to execute shell scripts without seeing password
- From: "Radoulov, Dimitre" <cichomitiko@xxxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Sat, 18 Feb 2006 00:07:31 +0100
I think the setuid+sticky bit is definitely the solution :)
Correcting myself: it's sticky bit + shebang:
xxx:{root}:/app/oracle> cat tmp1.sh
#!/usr/bin/ksh
date
xxx:{root}:/app/oracle> chmod 4501 tmp1.sh
xxx:{root}:/app/oracle> ls -l tmp1.sh
-r-s-----x 1 root other 20 Feb 17 23:51 tmp1.sh
xxx:{root}:/app/oracle> su - oracle
$ ls -l tmp1.sh
-r-s-----x 1 root other 20 Feb 17 23:51 tmp1.sh
$ ./tmp1.sh
Fri Feb 17 23:59:11 MET 2006
$ cat tmp1.sh
cat: cannot open tmp1.sh
Without shebang:
xxx:{root}:/app/oracle> cat tmp1.sh
#
#!/usr/bin/ksh
date
xxx:{root}:/app/oracle> su - oracle
$ ls -l tmp1.sh
-r-s-----x 1 root other 22 Feb 18 00:01 tmp1.sh
$ ./tmp1.sh
ksh: ./tmp1.sh: cannot open
$ truss tmp1.sh
..................................................
brk(0x0003A2F0) = 0
getuid() = 250 [250]
getuid() = 250 [250]
getgid() = 200 [200]
getgid() = 200 [200]
open64("./tmp1.sh", O_RDONLY) Err#13 EACCES
./tmp1.shwrite(2, " . / t m p 1 . s h", 9) = 9
: write(2, " : ", 2) = 2
./tmp1.shwrite(2, " . / t m p 1 . s h", 9) = 9
: write(2, " : ", 2) = 2
cannot openwrite(2, " c a n n o t o p e n", 11) = 11
write(2, "\n", 1) = 1
llseek(0, 0, SEEK_CUR) = 40735
_exit(1)
Dimitre
--
//www.freelists.org/webpage/oracle-l
Other related posts: