Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 alpha 4/15/85; site ucbvax.ARPA Path: utzoo!watmath!clyde!burl!ulysses!ucbvax!kre From: kre@ucbvax.ARPA (Robert Elz) Newsgroups: net.unix Subject: Re: inconsistency on read/execute permissions for shell procedures Message-ID: <8839@ucbvax.ARPA> Date: Sun, 7-Jul-85 03:47:23 EDT Article-I.D.: ucbvax.8839 Posted: Sun Jul 7 03:47:23 1985 Date-Received: Mon, 8-Jul-85 00:46:49 EDT References: <761@wanginst.UUCP> <264@tove.UUCP> Organization: University of California at Berkeley Lines: 43 Summary: Kludge workaround for 4.2 bsd sites In article <264@tove.UUCP>, steve@tove.UUCP (Steve D. Miller) writes: > In article <761@wanginst.UUCP> gill@wanginst.UUCP (Timothy Gill) writes: > >All of the UNIX documentation I read states that programs and other > >executable files (shell procedures) are equivalent.... > > ...... For a shell procedure to run for > >those users, there must also be read permission on the file: > > > >This is clearly inconsistent. ... > > I admit that it's inconvenient; maybe someone else has a better > workaround than the one I use (I rewrite it in C). > -- On 4.2, you can create a new (not used for anything else) group, and make the shell script setgid to that group (it must be a #! type shell script). Then make its permissions be 2751. (Setgid, rwx to the owner, rx to the group, and x only to the rest of the world (everyone bar the owner, as by construction, there is no-one in the group)) Then the shell will start up in the group of the script, and be able to open it. If the process running the script was also setgid (to a different group) you lose, but apart from that this works. (The process remains in all the groups that it was in, so doesn't lose permission to access any files, and groups are used for nothing else (file creation group is inherited from the parent directory)) All set[ug]id shell scripts have security problems, but here you have nothing much to lose. All a security cracker here can get is access to the new group, and all that enables him to do is read the shell script (or scripts) - which without this hack he must be able to do to execute them. So, don't rely on this to protect secret data in the scripts, but if all you want it to stop people prying into your horrible sh (or worse, csh) coding techniques, then it will serve. This can't work on SysV, as groups are used for file creation, and there is no such thing as a setgid sh script anyway. Robert Elz ps: On 4.3 the '-b' flag must be included on the #! line for the shell.