How can I set file to be executable only to other users but not readable/writable, the reason for this I’m executing something with my username but I don’t want to give out the password. I tried :
chmod 777 testfile chmod a=x chmod ugo+x
I still get permission denied when executing as another user.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
There’s a half truth to the previous statements. You can setup a script so that it’s not readable by the user, but still executable. The process is a little drawn out, but it’s doable by making an exception in /etc/sudoer so that the user can run the script as yourself temporarily without being prompted for a password. Example below:
Some script I want to share with a user:
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b9d4dcf9f6fb88">[email protected]</a>:~/Desktop/script/$ chmod 700 somescript.pl <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8be6eecbc4c9ba">[email protected]</a>:~/Desktop/script/$ ls -l somescript.pl -rwx------ 1 me me 4519 May 16 10:25 somescript.pl
Make a shell script that calls ‘somescript.pl’ and save it in /bin/ :
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c6aba3868984f7">[email protected]</a>:/bin$ sudo cat somescript.sh [sudo] password for me: #!/bin/bash sudo -u me /home/me/Desktop/script/somescript.pl <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8fc98">[email protected]</a>
OPTIONAL STEP Make a symlink to somescript.sh in /bin/:
sudo ln -s /bin/somescript.sh /bin/somescript
Make sure the shell script is readable/executable to the user (no write access):
sudo chmod 755 /bin/somescript.sh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="660b0326292457">[email protected]</a>:/bin$ ls -l somescript* lrwxrwxrwx 1 root root 14 May 28 16:11 somescript -> /bin/somescript.sh -rwxr-xr-x 1 root root 184 May 28 18:45 somescript.sh
Make exception in /etc/sudoer by adding these lines:
# User alias specification User_Alias SCRIPTUSER = me, someusername, anotheruser # Run script as the user 'me' without asking for password SCRIPTUSER ALL = (me) NOPASSWD: /home/me/Desktop/script/somescript.pl
PROOF IN THE PUDDING:
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a9dac6c4ccdcdaccdbe9e6eb98">[email protected]</a>:~$ somescript ***You can run me, but can't see my private parts!*** <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c2b1adafa7b7b1a7b0828d80f3">[email protected]</a>:~$ cat /home/me/Desktop/script/somescript.pl cat: /home/me/Desktop/script/somescript.pl: Permission denied
This method should be better than trying to obfuscate with Filter::Crypto or PAR::Filter::Crypto or Acme::Bleach which can be reversed engineered by a determined user. Same goes for compiling your script to binary. Let me know if you find something wrong with this method. For more advanced users you may want to remove the User_Alias section completely and replace SCRIPTUSER with ‘%groupname’. This way you can manage your script users with usermod command.
Method 2
You need both read and execute permissions on a script to be able to execute it. If you can’t read the contents of the script, you aren’t able to execute it either.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="01756e6f78416c6075736879">[email protected]</a>:~$ ./hello.world hello world <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e99d868790a984889d9b8091">[email protected]</a>:~$ ls -l hello.world -rwxr-xr-x 1 tony tony 17 Jul 13 22:22 hello.world <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="95e1fafbecd5f8f4e1e7fced">[email protected]</a>:~$ chmod 100 hello.world <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="364259584f765b5742445f4e">[email protected]</a>:~$ ls -l hello.world ---x------ 1 tony tony 17 Jul 13 22:22 hello.world <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b6c2d9d8cff6dbd7c2c4dfce">[email protected]</a>:~$ ./hello.world bash: ./hello.world: Permission denied
Method 3
If you let other users execute a program, then they can know everything the program is doing, whether the program file is readable or not. All they need to do is point a debugger (or debugger-like program such as strace). A binary executable can run if it’s executable and not readable (a script can’t, because the interpreter needs to be able to read the script), but this doesn’t give you any security.
If you want others to be able to execute your program as a black box, without letting them see exactly what the program is doing, you need to give your script elevated privileges: make it setuid to your user. Only root can use debugging tools on setuid programs. Note that writing secure setuid programs isn’t easy, and most languages aren’t suitable; see Allow setuid on shell scripts for more explanations. If you’re going to write a setuid program, I strongly recommend Perl, which has a mode (taint mode) that’s explicitly intended to make secure setuid scripts possible.
Method 4
You can set file permissions with the chmod command. Both the root user and the file’s owner can set file permissions. chmod has two modes, symbolic and numeric.
First, you decide if you set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, you either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, you decide if you set the read permission (r), write permission (w), or execute permission (x). Last, you’ll tell chmod which file’s permissions you want to change.
Here are a few examples.
Wipe out all the permissions but add read permission for everybody:
$ chmod a=r filename
After the command, the file’s permissions would be -r–r–r–
Add execute permissions for group:
$ chmod g+x filename
Now, the file’s permissions would be -r–r-xr–
Add both write and execute permissions for the file’s owner. Note how you can set more than one permission at the same time:
$ chmod u+wx filename
After this, the file permissions will be -rwxr-xr–
Remove the execute permission from both the file’s owner and group. Note, again, how you can set them both at once:
$ chmod ug-x filename
Now, the permissions are -rw-r–r–
This is a quick reference for setting file permissions in symbolic mode:
Which user? u user/owner g group o other a all What to do? + add this permission - remove this permission = set exactly this permission Which permissions? r read w write x execute
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0