1

I want to allow users to execute a bash script that contains sensitive data. Thus, I don't want them to have reading permissions. A 'direct' solution seems to be impossible, but I may have found a workaround in the expect man page:

Create the Expect script (that contains the secret data) as usual. Make its permissions be 750 (-rwxr-x---) and owned by a trusted group, i.e., a group which is allowed to read it. If necessary, create a new group for this purpose. Next, create a /bin/sh script with permissions 2751 (-rwxr-s--x) owned by the same group as before.

I've tried to replicate this as follows: In a folder, I have two scripts:

script.sh:

#!/bin/sh
echo "targetscript echo"

runscript.sh:

#!/bin/sh
echo "runscript echo"
groups
./script.sh

I gave them the rights as suggested in the man page:

groupadd scriptrunner
chown {myusername}:scriptrunner runscript.sh
chmod 2751 runscript.sh
chown root:scriptrunner script.sh
chmod 750 script.sh

The output of ls -l appears to be alright:

-rwxr-s--x. 1 {myusername} scriptrunner 51 Aug 25 13:04 runscript.sh
-rwxr-x---. 1 root         scriptrunner 35 Aug 25 13:01 script.sh

However, when I run ./runscript.sh without root, I get the following error:

runscript echo
{myusername} wheel
./runscript.sh: line 4: ./script.sh: Permission denied

I don't know what went wrong. Can anyone help me?

ekad
  • 14,436
  • 26
  • 44
  • 46
MrTomRod
  • 345
  • 2
  • 16
  • Is the user executing the script a member of the "scriptrunner" group? – Raman Sailopal Aug 25 '17 at 12:03
  • If there is sensitive data then it should be encrypted - even if you succeeded in running your script without read permissions or converted it to an executable binary (ELF). The data could be viewed using a tool like `truss`, `strace` or `ptrace` by anyone using the same username which runs the process. A possible work-around is to make run requests to a daemon running under another username. – cdarke Aug 25 '17 at 13:48

1 Answers1

3

I'll go back to the root problem as I think it's easier to solve without the expect hack.

So, what you need is having the execute permission on your script but not the reading permission. That is only possible for binaries (i.e. not interpreted scripts)- see details here https://unix.stackexchange.com/questions/34202/can-a-script-be-executable-but-not-readable

So maybe you'll be better off by first compiling your bash script into a binary (with shc - see here https://unix.stackexchange.com/questions/64762/how-to-convert-a-shell-script-into-a-binary-executable) and then set the execute only permission on the binary. Afterwards your users should be able to execute (but not read) the binary.