LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-20-2007, 11:59 PM   #1
bharaniks
Member
 
Registered: May 2005
Distribution: Red Hat Linux
Posts: 36

Rep: Reputation: 15
Restrict a Shell Script to run from a shell


Hi,

I'm using two shell scripts named as SCR1 and SCR2

Where in this script SCR2 is called from script SCR1.

Ex :
-----------------------
#!/bin/sh
#
# Script SCR1
#
#
/home/user/SCR2
-----------------------

My Requirement is to restrict the script SCR2 to run directly from
the command prompt or from any other script. But it should be
executed when ever it is called only from the script SCR1.

Please let me know whether is there any option / variable in
Linux by default to find the script execution type.

Or kindly suggest a better option.

Thankyou.
 
Old 08-21-2007, 03:57 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,143
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Or kindly suggest a better option.
Then please first tell us what the script does and why it is important that executing this script should be restricted this way?


script 1 "filename0":
Code:
#!/bin/sh -
set -e
# Start this script only with a full path
# SHA1 hash of the /path/and/filename0
MYLOC=`echo $0|sha1sum`
# Export it
declare -r -x MYLOC=${MYLOC:0:39}
# Export the Process ID of this process
declare -r -x MYPID=$$
# Execute the script with full path
/path/and/filename1
exit 0
script 2 "filename1":
Code:
#!/bin/sh -
set -e
# Execute lame checks. In order:
# 0. PID of running parent "filename0" against exported PID
# 1. Parent PID of running process "filename1" against exported PID
# 2. SHA1 hash of filename0 against exported value
[ `pgrep -f filename0` -ne ${MYPID:=0} \
-a ${MYPID:=0} -ne ${PPID:=-1} \
-a  "${MYLOC:=0}" != "MANUALLY_INSERT_SHA1_HASH_OF_/path/to/filename0" ] \
&& echo false || echo true
exit 0
Where it reads "MANUALLY_INSERT_SHA1_HASH_OF_/path/to/filename0" you insert the value of running 'sha1sum /path/to/filename0 | cut -c 1-40'. I don't think this will be as tightly restricted as it should be, but you get the idea. Besides, this isn't a Linux Security question but one for the Programming forum so I'll move it there.
 
Old 08-21-2007, 04:46 AM   #3
bharaniks
Member
 
Registered: May 2005
Distribution: Red Hat Linux
Posts: 36

Original Poster
Rep: Reputation: 15
Actually script SCR1 is executed by the user and which calls the
script SCR2.

SCR2 is executed (i.e, called from SCR1) as below mentioned

------------------------------------------
#
sudo -u root /home/user/SCR2 DATA1 DATA2
#
#(To write in to a file owned by root)
------------------------------------------


SCR2 will be like :
-----------------------
#!/bin/sh
#
# Script SCR2
#
#
echo -e "$1 - $2" >>/home/user/LogFile
-----------------------

Below are the details of file /home/user/LogFile are :
-rw-r--r-- root root /home/user/LogFile


Now the user has a option to write in to the file (owned by root)
any time using command "sudo -u root /home/user/SCR2" in shell,
Which should not be possible by the user.

Hope this is clear to you and let me know if any more details required.

And also please let me know whether your suggestion will suit my
requirement.
 
Old 08-21-2007, 07:33 AM   #4
reverse
Member
 
Registered: Apr 2007
Distribution: Gentoo
Posts: 337

Rep: Reputation: 30
I sincerely don't see the need for two script files, just use a function instead?
 
Old 08-25-2007, 11:50 AM   #5
WAJEDUR REHMAN
Member
 
Registered: Aug 2007
Posts: 43

Rep: Reputation: 15
Your Requirement is to restrict the script SCR2 to run directly from
the command prompt or from any other script.
But it should be executed when ever it is called only from the script SCR1.

Can you write some line in SCR1 to change permission of SCR2 to executable and at the end revert it to nonexecutable
 
Old 08-26-2007, 08:44 AM   #6
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
I have read through your statement of your problem several times & I still do not understand what you say you want. Everything else you say implies that SCR2 should run only when called from SCR1, & not when it is called from any other script or directly from the CLI. The problem is that in English as I learned it (from birth) & every Logic or Math class I took, "restrict to" precedes a list of what is allowed not what is denied -- as you seem to be doing. For example, our (U.S.) military will "restrict to base" or "restrict to quarters". Please clarify the statement of your problem.

I 2nd the Q about why 2 scripts are necessary.
 
Old 08-26-2007, 10:37 PM   #7
bharaniks
Member
 
Registered: May 2005
Distribution: Red Hat Linux
Posts: 36

Original Poster
Rep: Reputation: 15
Thanks WAJEDUR REHMAN,

But the SCR1 will be executed by a user (say ABC) and the SCR2 will
be owned by root.

Even if we are changing the ownership of SCR2 to user ABC then
obviously the user can make the SCR2 as executable from shell
prompt itself (using command chmod 755 SCR2).

Thanks Again.

Any other suggestions.
 
Old 08-26-2007, 10:57 PM   #8
bharaniks
Member
 
Registered: May 2005
Distribution: Red Hat Linux
Posts: 36

Original Poster
Rep: Reputation: 15
Hi archtoad6,

We have a script SCR1 which is world Readable and Executable
rwxr-xr-x USER USER SCR1

The script SCR2 which can only be accessed by root
rwx------ root root SCR2

Whenever a user executes the script SCR1 from shell prompt
it will make certain checks and if all success then it will
call the script SCR2. Using "sudo", whoes example will be
sudo -u root /home/user/SCR2 DATA1 DATA2

Also we have a file /home/user/LogFile whoes permission
will be
rw-r--r-- root root LogFile

In this case SCR2 will write in to the LogFile as root.

So if the USER executes the below command in CLI
sudo -u /home/user/SCR2 DATA1 DATA2
then he/she can write in to the file /home/user/LogFile

Which should not be allowed and can only be done whenever
the checks are completed in SCR1.

PS :
The REASON why we have two scripts (SCR1 and SCR2) here is we
have multiple scripts in SCR1 which will be execucted based
on some criteria's like user name / terminal / time, So thats
why we have two scripts here.

Let me know if more details required.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
run shell script on cron varunbihani Linux - Newbie 5 07-08-2005 01:50 AM
How to run SHELL script pito Linux - Newbie 4 12-17-2004 03:05 AM
how do i run shell script? krt47 Linux - Newbie 4 08-02-2004 09:29 AM
how to run a shell script oasisbhrnw99 Linux - Newbie 1 05-05-2004 01:21 PM
how to run a shell script in Linux chandhru Linux - Newbie 2 09-27-2002 01:19 PM


All times are GMT -5. The time now is 05:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration