LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-10-2009, 11:57 AM   #1
dexznrl
Member
 
Registered: Jul 2009
Posts: 36

Rep: Reputation: 0
run bash script without shell access


Hello,

Does anybody know an easy way to do this?

A friend of mine needs to be able to run a bash script on my "server" how can I give him access to run this script without giving him access to shell?
Is it also possible to let him run the script but not give him read access to the script itself?

Best regards

Johan
 
Old 08-10-2009, 12:08 PM   #2
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
I think you may have some semantics issues. In this context, BASH IS the shell---the BASH script is an aggregation of shell commands so you have to have access to the shell to run it.

Permissions can be set to allow any combination of read, write, and execute. Suppose your user is in the "special" group. do something like this:
Code:
chown :special filename   ##assigns filename to the "special" group
chmod 710 filename   ##Sets permissions:  owner:full, group: execute only,other:none
 
Old 08-10-2009, 12:43 PM   #3
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
How does he access the server? If it is by ssh, you can use a Match clause along with a ForceCommand entry below it. There is an example in the /etc/ssh/sshd_config file.

Code:
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
 
Old 08-10-2009, 12:49 PM   #4
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
Quote:
Originally Posted by dexznrl View Post
Hello,

Does anybody know an easy way to do this?

A friend of mine needs to be able to run a bash script on my "server" how can I give him access to run this script without giving him access to shell?
The script, as pixellany said, will run inside a shell. There's no other way, that's what shell scripts are: a sequence of shell commands that will be interpreted by whatever shell fits.

Maybe you mean to run it without given your friend access to an *interactive* shell. That's possible, you could just set your custom script as your friend's shell, so when he logins the script will be launched, and once it's over the session will be closed automatically. You can do so with many system tools, or just by editing the /etc/passwd file. Just find the line for your friend's user, and change the shell (usually /bin/bash) to whatever binary or script you want to run. This might be a complete nonsense though depending on what exactly do you want to do from that shell script, so, might I ask what the final purpose of this is?


Quote:
Is it also possible to let him run the script but not give him read access to the script itself?
No. His shell needs to read the script to be able to run the commands that live inside the script.
 
Old 08-10-2009, 12:53 PM   #5
dexznrl
Member
 
Registered: Jul 2009
Posts: 36

Original Poster
Rep: Reputation: 0
Backups

He is running some backups on my server and he's running a script afterward to make generation copies.

I'm gonna try the idea to put the script as his shell. =) Might just work.

Now the only problem is to keep the script secret from him. I don't want him browsing around my server god dammit =))
 
Old 08-10-2009, 12:55 PM   #6
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
Quote:
Originally Posted by i92guboj View Post
No. His shell needs to read the script to be able to run the commands that live inside the script.
Looks like I might have made a boo-boo!! Time to go run a test....

<<ADD:
OK, so a script needs BOTH read and execute privileges to run!! (not intuitively obvious....)

Last edited by pixellany; 08-10-2009 at 01:01 PM.
 
Old 08-10-2009, 01:12 PM   #7
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
Yup. Note that opening an script, which is a text file, it not too different from opening an ascii doc with -let's say- vim, emacs or nano. Bash needs to read it before, then it runs the commands.

In fact, strictly speaking, you could run the script without having +x on it, the only strict requirement to open the file is +r. Without +x you can still do

Code:
sh whatever.sh
And it will run. Alternatively you could also dump it in the current shell (assuming you have an interactive shell open):

Code:
cat foo.sh | while read line; do eval $line; done
Which is just a funny way to do:

Code:
source whatever.sh
However not all scripts will behave correctly when sourced.
 
Old 08-10-2009, 01:18 PM   #8
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
Quote:
Originally Posted by dexznrl View Post
He is running some backups on my server and he's running a script afterward to make generation copies.

I'm gonna try the idea to put the script as his shell. =) Might just work.

Now the only problem is to keep the script secret from him. I don't want him browsing around my server god dammit =))
On any regular server configuration he, as a normal user, will not have any permission to make any harm. An alternate idea that you might want to consider is setting this backup as a cron job (assuming that's doable and makes sense in your case). This cron job could just backup whatever needs to be backed up, then put it on his home and set the ownership and permissions for these files so he can just login with ssh or access them view a web service or whatever fits you better, and pick the files or do whatever with them.

This way you completely take the script out of his reach. It would run with the cron user (or whatever id cron uses to run on your system), and he would only have access to the final product. Of course, this assumes that the backup process doesn't require human intervention to complete.
 
Old 08-10-2009, 01:18 PM   #9
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
What one might have assumed is that the execute privilege gave the user permission to have the shell run the script----then the shell would be running as root and would have read privileges without being given explicit permission.

Can you write a script that tells the shell to run it as root?

It seems that there would be many situations where you wanted a user to be able to run something without knowing what was in it. (obviously, compiling into a binary does it.)
 
Old 08-10-2009, 01:46 PM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
It would be a good idea to read this `OpenSSH Secure "how to"'. It has an example of a ForceCommand script. The example script traps CTRL-C to prevent the user from escaping to the shell. This is good idea even if you aren't using ssh. By the way, the forced command works by launching the users default shell with -c <command>, which is just what you are thinking of trying.

https://calomel.org/openssh.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
in bash shell how to run shell script during startup rammohan04 Red Hat 2 07-31-2009 03:07 AM
MySQL Updates With Null When Perl Script Run From Shell Script ThisGuyIKnow Programming 6 08-12-2008 10:56 AM
Bash Script Help - Trying to create a variable inside script when run. webaccounts Linux - Newbie 1 06-09-2008 03:40 PM
Restrict a Shell Script to run from a shell bharaniks Linux - Security 7 08-26-2007 11:57 PM
run shell script bash from browser with php achilles Programming 10 08-02-2007 04:44 PM


All times are GMT -5. The time now is 10:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration