Avoiding users to corrupt and use a script

Is it possible to deny the right to copy files?

I have a script which should be executable by others. They are also allowed to read the file (though it would not be a problem to forbid reading). But I don't want the script to be changed and executed.

It's not a problem to set those permissions, but one could easily copy, change and run the script. Can this even be avoided?

The OS is Red Hat Enterprise Linux Workstation release 6.2 (Santiago).

EverythingRightPlace

Posted 2014-08-21T15:33:58.693

Reputation: 113

Just reset the permissons on the file and only set them to +rx or +x for the user (or group) that can execute it by chmod '+rx' <user or group> '<exec file>' – arielnmz – 2014-08-21T15:37:39.967

What OS? It really depends on OS whether you can have run-only scripts – Rich Homolka – 2014-08-21T15:39:15.730

@arielnmz Example: script.sh of user1 with permissions -rwxr-x--- can't be modified by myself. If I copy it (and therefore I am the owner of that copy) I am able to write and execute afterwards... @RichHomolka Edited the question – EverythingRightPlace – 2014-08-21T15:51:58.287

Then just remove the r permission bit from the file so it can't be copied. – arielnmz – 2014-08-26T01:16:57.647

– Scott – 2018-03-23T04:17:27.027

Answers

You can use sudo for that.

You can allow your users to sudo your script and only that script.

Step by step:

Create system "executor_account" account (you can use any name) and give it permissions to your script. Don't use root account for that.
Configure sudo.

You have to learn how to use sudo and allow your users to make "sudo executor_account myscript.sh" and nothing more. It is possible to allow them execute file that they cant. Im not linux expert, I will not explain this, but you can find many tutorials about sudo everywhere.

I think thats only way to allow user to execute file that he cannot read.

Script will run from another user account, so eventual "products" of the script (logs etc.) will be owned by that special account you created. You have to deal with that somehow if script or program executed by script is producing some files.

Kamil

Posted 2014-08-21T15:33:58.693

Reputation: 2 524

No, it's not possible with Linux file permissions. Users must be able to read the shell script in order to execute it - and that means they can make a copy, modify it, and run it.

nobody

Posted 2014-08-21T15:33:58.693

Reputation: 466

This is a bit kludgy, but – write a C program that looks like this:

#include <stdio.h>
#include <stdlib.h>

    ︙

        FILE    *sh;

        sh = popen("/bin/sh", "w");            // Use "/bin/bash" if you need to.
        if (sh == (FILE *)NULL) {
                perror("popen");
                exit(1);
        }
                                        <-------- Insert magic here.
        fclose(sh);

At the “Insert magic here.” point, insert code to write the script to sh; for example,

        fprintf(sh, "for x in red blue green\n");
        fprintf(sh, "do\n");
        fprintf(sh, "        echo x = \"$x\"\n");
        fprintf(sh, "done\n");

If it’s more than just a few lines, it may be more manageable to store it as a string array. Then compile this program and make the binary execute-only (e.g., mode 710 or 711).

No solution will be foolproof, because users will be able to see what commands are being run by using ps in another window, but that would give them only fragmentary glimpses at the script.

Of course, if the logic of your script is really sensitive, the real answer is to translate it into a compilable language.

G-Man Says 'Reinstate Monica'

Posted 2014-08-21T15:33:58.693

Reputation: 6 509