0

I'm trying to run a script at login that will execute for a regular user, but not be readable by that or other non-root users.

I've tried various things including chmod/chown combinations, as well as visudo. In all cases, I can either execute the script at login but still read it as the user, or not be able to read it but also not be able to execute it at login.

Have also tried shc which I can use, but that still leaves a file that while executable, can be copied/uploaded etc and decompiled.

Is this about me doing something wrong with chmod, chown, and visudo?

dawud
  • 15,504
Senrabdet
  • 111
  • 1
  • 3
  • 9

4 Answers4

4

First off, visudo(8) is just the recommended editor for the /etc/sudoers file. Nothing else. It is so, because it does some syntax checking, and basic rules parsing in order to warn you if you are just about to shoot yourself in the foot. It is not perfect, but it has proven to be very helpful.

That said, the following lines show how to grant execution permissions on a not readable file, without using SETUID tricks. I have used root and /root/bin/, but this is true for any other scenario where the user who is granted execution permissions does not have read access to the file.

The # symbol, as usual, means the commands are run by root, the $ symbol marks the lines run by the unprivileged user:

# adduser foo
...

# id foo
uid=1002(foo) gid=1002(foo) groups=1002(foo)

# grep foo /etc/sudoers
Defaults:foo    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/bin"
foo   ALL = (root) /root/bin/bar

# ls -lrt /root/bin/bar
-rwx------. 1 root root 38 Oct  4 20:22 /root/bin/bar

# cat /root/bin/bar
printf "Welcome to the Terrordome!\n"

# su - foo

$ id
uid=1002(foo) gid=1002(foo) groups=1002(foo)

$ sudo bar
Welcome to the Terrordome!

$ cat /root/bin/bar
cat: /root/bin/bar: Permission denied
dawud
  • 15,504
2

I don't think you can stop people reading the file as they need to be able to read it to execute it.

user9517
  • 117,122
2

Bash must be able to read the content of the script.

You can put a setuid executable in front of bash script, like compiled c wrapper binary/executable, but then it is not bash already.

1

Running a bash script involves running the bash interpreter (which will be a process), and that interpreter reading the file, then following the script inside the file. If a process owned by a user can read the file, then the user themselves can read the file.

This leaves the only option being allowing the user to spawn a process owned by root, and having that root-owned process read your script. This can be accomplished in some distros using the setuid functionality, but it is generally considered a bad idea and can lead to security holes if the script has any bugs.

Sparr
  • 839