|
run bash script without shell access
Hello,
Does anybody know an easy way to do this? A friend of mine needs to be able to run a bash script on my "server" how can I give him access to run this script without giving him access to shell? Is it also possible to let him run the script but not give him read access to the script itself? Best regards Johan |
I think you may have some semantics issues. In this context, BASH IS the shell---the BASH script is an aggregation of shell commands so you have to have access to the shell to run it.
Permissions can be set to allow any combination of read, write, and execute. Suppose your user is in the "special" group. do something like this: Code:
chown :special filename ##assigns filename to the "special" group |
How does he access the server? If it is by ssh, you can use a Match clause along with a ForceCommand entry below it. There is an example in the /etc/ssh/sshd_config file.
Code:
# Example of overriding settings on a per-user basis |
Quote:
Maybe you mean to run it without given your friend access to an *interactive* shell. That's possible, you could just set your custom script as your friend's shell, so when he logins the script will be launched, and once it's over the session will be closed automatically. You can do so with many system tools, or just by editing the /etc/passwd file. Just find the line for your friend's user, and change the shell (usually /bin/bash) to whatever binary or script you want to run. This might be a complete nonsense though depending on what exactly do you want to do from that shell script, so, might I ask what the final purpose of this is? Quote:
|
Backups
He is running some backups on my server and he's running a script afterward to make generation copies.
I'm gonna try the idea to put the script as his shell. =) Might just work. Now the only problem is to keep the script secret from him. I don't want him browsing around my server god dammit =)) |
Quote:
<<ADD: OK, so a script needs BOTH read and execute privileges to run!! (not intuitively obvious....) |
Yup. Note that opening an script, which is a text file, it not too different from opening an ascii doc with -let's say- vim, emacs or nano. Bash needs to read it before, then it runs the commands.
In fact, strictly speaking, you could run the script without having +x on it, the only strict requirement to open the file is +r. Without +x you can still do Code:
sh whatever.shCode:
cat foo.sh | while read line; do eval $line; doneCode:
source whatever.sh |
Quote:
This way you completely take the script out of his reach. It would run with the cron user (or whatever id cron uses to run on your system), and he would only have access to the final product. Of course, this assumes that the backup process doesn't require human intervention to complete. |
What one might have assumed is that the execute privilege gave the user permission to have the shell run the script----then the shell would be running as root and would have read privileges without being given explicit permission.
Can you write a script that tells the shell to run it as root? It seems that there would be many situations where you wanted a user to be able to run something without knowing what was in it. (obviously, compiling into a binary does it.) |
It would be a good idea to read this `OpenSSH Secure "how to"'. It has an example of a ForceCommand script. The example script traps CTRL-C to prevent the user from escaping to the shell. This is good idea even if you aren't using ssh. By the way, the forced command works by launching the users default shell with -c <command>, which is just what you are thinking of trying.
https://calomel.org/openssh.html |
| All times are GMT -5. The time now is 11:10 PM. |