Circumvent user rights (cp)

fmhweb · 09-24-2012, 11:52 AM

Hi everyone,

I have a Script using the smbclient to replace an existing file.csv, executing it with _USER_1 (Control-M).

/etc/group
_GROUP_1:x:1001:_USER_1,_USER_2

The file/directory has the following rights:

drwxr-xr-x 2 _USER_1 _GROUP_1 4096 Sep 19 15:23 DIRECTORY_1
-rw-r--r-- 1 _USER_1 _GROUP_1 27937 Sep 24 13:09 file.csv

As _USER_1, I can obviously replace the file (rw)

Now the file has to be copied to this diretory and replace the existing file:

drwxr-xr-x 2 _USER_2 _GROUP_1 4096 Sep 19 15:23 DIRECTORY_2
-rw-r--r-- 1 _USER_2 _GROUP_1 27937 Sep 24 13:09 file.csv

Obviously the USER_1 only has read rights on the file inherited by _GROUP_1, so i cannot replace it. (r)

I have provided the following soloutions to our SAP admins:

1: Execute the script twice to replace the file, but with the appropriate user and path (Recommended - This is how they do it now)
2: Execute the script with the root user (Not recommended)
3: Using /etc/sudoers to give the user root rights when executing this specific script with _USER_1 (Rejected)
4: We give _GROUP_1 write rights for that directory (Rejected)

I believe it is fine how we do it now, but they want me to get it done using one script. (???)

1) Comming from Windows I was told to create a service account. But it would still need root rights, right?
2) As a bit of a newbie, I am not sure what other possible solutions there are and I am hoping for some hints?

JaseP · 09-24-2012, 12:32 PM

Is the idea of a service account to take files dumped there by (or into the account of) User_1 and transfer them to User_2's account?

If that's what is wanted,... The "service user account" simply needs read/write authority in the destination directory and, at least, read authority in the source directory (or read/write authority in the source directory if it is intended to "move" the file from there). It doesn't need full root authority.

As far as executing the script, that can be done as a cron job,... scheduled, so that no actual user has to log in to execute it. Or, if you want it to be really elaborate, you can have the script execute, essentially, as a daemon, scanning the directory for files matching a particular filter, and then "automatically" moving them. However, it's probably easier for the script just execute via cron on some regular interval,... else it could, if not properly set up, run away with itself, hogging processing bandwidth.

sag47 · 09-24-2012, 12:36 PM

Quote:

Originally Posted by JaseP

Is the idea of a service account to take files dumped there by (or into the account of) User_1 and transfer them to User_2's account?

If that's what is wanted,... The "service user account" simply needs read/write authority in the destination directory and, at least, read authority in the source directory (or read/write authority in the source directory if it is intended to "move" the file from there). It doesn't need full root authority.

As far as executing the script, that can be done as a cron job,... scheduled, so that no actual user has to log in to execute it. Or, if you want it to be really elaborate, you can have the script execute, essentially, as a daemon, scanning the directory for files matching a particular filter, and then "automatically" moving them. However, it's probably easier for the script just execute via cron on some regular interval,... else it could, if not properly set up, run away with itself, hogging processing bandwidth.

I agree, rather than having someone log into root why not just run a cron job as root. This way nobody has root permissions except the admin setting up the initial cron job. If the script is written right then it shouldn't matter if it's running as root and you can change permissions of the file once it has reached it's destination (i.e. change ownership to the new user).