Avoiding users to corrupt and use a script
Is it possible to deny the right to copy files?
I have a script which should be executable by others. They are also allowed to read the file (though it would not be a problem to forbid reading). But I don't want the script to be changed and executed.
It's not a problem to set those permissions, but one could easily copy, change and run the script. Can this even be avoided?
The OS is Red Hat Enterprise Linux Workstation release 6.2 (Santiago).
You can use sudo for that.
You can allow your users to sudo your script and only that script.
Step by step:
-
Create system "executor_account" account (you can use any name) and give it permissions to your script. Don't use root account for that.
-
Configure sudo.
You have to learn how to use sudo and allow your users to make "sudo executor_account myscript.sh" and nothing more. It is possible to allow them execute file that they cant. Im not linux expert, I will not explain this, but you can find many tutorials about sudo everywhere.
I think thats only way to allow user to execute file that he cannot read.
Script will run from another user account, so eventual "products" of the script (logs etc.) will be owned by that special account you created. You have to deal with that somehow if script or program executed by script is producing some files.
No, it's not possible with Linux file permissions. Users must be able to read the shell script in order to execute it - and that means they can make a copy, modify it, and run it.
This is a bit kludgy, but – write a C program that looks like this:
#include <stdio.h> #include <stdlib.h> ︙ FILE *sh; sh = popen("/bin/sh", "w"); // Use "/bin/bash" if you need to. if (sh == (FILE *)NULL) { perror("popen"); exit(1); } <-------- Insert magic here. fclose(sh);
At the “Insert magic here.” point, insert code to write the script to sh
; for example,
fprintf(sh, "for x in red blue green\n");
fprintf(sh, "do\n");
fprintf(sh, " echo x = \"$x\"\n");
fprintf(sh, "done\n");
If it’s more than just a few lines, it may be more manageable to store it as a string array. Then compile this program and make the binary execute-only (e.g., mode 710 or 711).
No solution will be foolproof,
because users will be able to see what commands are being run by using ps
in another window,
but that would give them only fragmentary glimpses at the script.
Of course, if the logic of your script is really sensitive, the real answer is to translate it into a compilable language.