If I am the administrator of an office network, I would often find a need to allow my users to do something while blocking them from knowing exactly what it was they were doing. My reasons commonly would be to maintain the security of the business.
Accepting that if it can be executed it can be read and understood, that does not mean at all that no attempts at security should be taken; after all, virtually all security consists of setting up a high enough wall that the intruder won't put forth the effort to climb it. If, for instance, my typical users are clerks and accountants and secretaries, the security precautions that will be adequate against them are far easier to implement than the procedures needed to protect against a person who is an expert on the system(s) that I am running. So, obfuscating scripts could be quite adequate. That said, in the particular case specified, I think I would use C programs rather than shell scripts, and make strace unavailable to the end users. Beyond that, I would simply keep an eye on the system logs and otherwise not worry about it. |
If they aren't to know what happens, why are they in control of when it happens? Did you consider cron? No one knows what these scripts do, making difficult to really provide a solution, mostly because scripts aren't meant to be both executable yet undecipherable by the same user. I really think you should consider remote execution.
ta0kira |
The point is that if you setup sudo to ONLY RUN those scripts, they won't actually be able to read the src...
sudo does not mean having to give the users total root access, even though some people do that. |
You can restart the computer with a "live" CD or other bootable *nix CD and access the files, anyway. What I was asking was why is it the user chooses to run the script (by typing the command in) when they don't really know what it does? If it has an inherent immediacy then the user probably will know what it does, otherwise I don't see why it can't be done remotely or via cron.
ta0kira |
Quote:
Thanks unspawn for your reply, My concern is (finally) that what if I've 200 machines and various users are using those systems. I want user to run those scripts on daily basis but can't view or edit the contents of the scripts. Few users are having root previledges on their machines. I think SUDO will not work in this case. As well as it is not possible to copy and SUDOing those scripts in each and every pc. My only urge is that whether anybody has solution for this or not. Thanks. Waiting eagarly for the solution. |
Quote:
Quote:
|
Why won't sudo work? Please explain.
Do the scripts have to be run manually, can't you use cron? If you don't want the scripts to exist on the target systems, you need ssh. |
Quote:
Also, it can only be viewed in "vi", not in cat/less/more. It will be changed as in this example. Code:
[root@eul1p3 vikas]# file OVO_Format.sh Regards, vIKAS |
Quote:
Ans 2: Yes, user will untar the script in their pcs and run them manually. |
1. if they've got full root priv, there's no point in worrying about trying to hide stuff. They can do anything they want anyway...
2. To send a file to 200 pcs, generate a list and loop using scp. Ideally use auth-keys so you don't have to put passwords in the script. Otherwise, look at using the expect tool to ctrl the scp loop. Possibly also look at ssh-agent. If you do this you could also add an ssh line to run the remote script once its loaded. Ideally of course you wouldn't be logging in as root remotely, but that's your option. |
Quote:
I'll simplify it more... 1) Users having root prev in their systems but they are not expert enough to do this SUDO or unencryption tasks. I just want them to execute those scripts. When they try to vi or cat or more or less those scripts, they can see the contents or even though they can see it should be visible in encoded text so that they dont edit/know the codes. Thats it. |
Shell scripts
why not just put it on as a cron job? Or create a local shell script that calls another using at or batch. That way they wont have direct access to the script?
########## you could complcate it more... have them run a local script that creates a "flag file" in a 'watched' directory You as root have a cron that runs checking for that "flag file" Once detected, your secret shell runs, and the flag is deleted at the end of the shell, then use sendmail to let them know the result ########## |
All times are GMT -5. The time now is 07:20 AM. |