ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If I am the administrator of an office network, I would often find a need to allow my users to do something while blocking them from knowing exactly what it was they were doing. My reasons commonly would be to maintain the security of the business.
Accepting that if it can be executed it can be read and understood, that does not mean at all that no attempts at security should be taken; after all, virtually all security consists of setting up a high enough wall that the intruder won't put forth the effort to climb it.
If, for instance, my typical users are clerks and accountants and secretaries, the security precautions that will be adequate against them are far easier to implement than the procedures needed to protect against a person who is an expert on the system(s) that I am running. So, obfuscating scripts could be quite adequate.
That said, in the particular case specified, I think I would use C programs rather than shell scripts, and make strace unavailable to the end users. Beyond that, I would simply keep an eye on the system logs and otherwise not worry about it.
If they aren't to know what happens, why are they in control of when it happens? Did you consider cron? No one knows what these scripts do, making difficult to really provide a solution, mostly because scripts aren't meant to be both executable yet undecipherable by the same user. I really think you should consider remote execution.
ta0kira
The point is that if you setup sudo to ONLY RUN those scripts, they won't actually be able to read the src...
sudo does not mean having to give the users total root access, even though some people do that.
You can restart the computer with a "live" CD or other bootable *nix CD and access the files, anyway. What I was asking was why is it the user chooses to run the script (by typing the command in) when they don't really know what it does? If it has an inherent immediacy then the user probably will know what it does, otherwise I don't see why it can't be done remotely or via cron.
ta0kira
I think you should be careful with posting just "drive by" statements. Possibly you haven't read the thread well enough? The OP was asked for the reasons why and stated that so this has nothing to do with OSS but with access restrictions. Obfuscation and Shc-like encryption are weak "solutions", this question has been asked (not that frequently but perfectly searchable in LQ) and the default answer for allowing unprivileged users access still is Sudo as stated before in this thread.
Thanks unspawn for your reply,
My concern is (finally) that what if I've 200 machines and various users are using those systems. I want user to run those scripts on daily basis but can't view or edit the contents of the scripts. Few users are having root previledges on their machines. I think SUDO will not work in this case. As well as it is not possible to copy and SUDOing those scripts in each and every pc.
My only urge is that whether anybody has solution for this or not.
I've created few shell scripts to perform administration tasks. I also distributed those scripts to my subordinates for their use.
1) I want everybody can execute those scripts in their own (differnt) systems but cannot edit or view the codes what I've wrote in those scripts. As I've seen such kind of scripts somewhere with encrypted text inside.
2) I want to make such scripts which contains coloured menus, lines, text etc. Pls suggest me the detailed procedure to do the same.
Thanks in Advance.
hey, you can use vi -x option your script. It asks for a password everytime you need to open it.
Also, it can only be viewed in "vi", not in cat/less/more.
It will be changed as in this example.
Code:
[root@eul1p3 vikas]# file OVO_Format.sh
OVO_Format.sh: Vim encrypted file data
Do the scripts have to be run manually, can't you use cron?
If you don't want the scripts to exist on the target systems, you need ssh.
Ans 1: As the users on other systems having root access, they have to run those scripts as a root user (now don't ask why they having root prevelege and all that). As a root user, he can change the sudo settings and the other thing is I've to SUDO in all the PCs. How it is possible to do it in 200 pcs.
Ans 2: Yes, user will untar the script in their pcs and run them manually.
1. if they've got full root priv, there's no point in worrying about trying to hide stuff. They can do anything they want anyway...
2. To send a file to 200 pcs, generate a list and loop using scp. Ideally use auth-keys so you don't have to put passwords in the script. Otherwise, look at using the expect tool to ctrl the scp loop.
Possibly also look at ssh-agent.
If you do this you could also add an ssh line to run the remote script once its loaded.
Ideally of course you wouldn't be logging in as root remotely, but that's your option.
1. if they've got full root priv, there's no point in worrying about trying to hide stuff. They can do anything they want anyway...
2. To send a file to 200 pcs, generate a list and loop using scp. Ideally use auth-keys so you don't have to put passwords in the script. Otherwise, look at using the expect tool to ctrl the scp loop.
Possibly also look at ssh-agent.
If you do this you could also add an ssh line to run the remote script once its loaded.
Ideally of course you wouldn't be logging in as root remotely, but that's your option.
Thanks for u'r reply..
I'll simplify it more...
1) Users having root prev in their systems but they are not expert enough to do this SUDO or unencryption tasks. I just want them to execute those scripts. When they try to vi or cat or more or less those scripts, they can see the contents or even though they can see it should be visible in encoded text so that they dont edit/know the codes.
Thats it.
why not just put it on as a cron job? Or create a local shell script that calls another using at or batch. That way they wont have direct access to the script?
##########
you could complcate it more... have them run a local script that creates a "flag file" in a 'watched' directory
You as root have a cron that runs checking for that "flag file"
Once detected, your secret shell runs, and the flag is deleted at the end of the shell, then use sendmail to let them know the result
##########
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
