topic su within a ksh script? in Operating System - HP-UX

su within a ksh script?

Tom Chapel — Thu, 27 Jan 2000 15:57:33 GMT

Is there a way to use the switch users (su) command within a shell script?

I would like to allow regular users database access under the very-controlled
script environment without allowing them this access outside of the script. If
I could switch users back & forth within the script, I could provide this
limited service.

Thanks for your help.

Re: su within a ksh script?

Dan Hull — Thu, 27 Jan 2000 16:43:02 GMT

It is not recommended that you use su inside a script because it can cause
unpredictable results. Some people do it and never report problems, but most of
the problems I've seen were related to database access.

Instead, consider using a compiled program with the appropriate access rights
that the users can execute. This way they can't do anything the script wasn't
written to do.

If you can't write a program to do it, you can use a script with the setuid bit
set. This will allow users to run the script, which will then execute as if it
were being run by the owner of the script itself.

This can lead to a security risk though, because anyone who can edit the script
or otherwise manipulate things could potentially gain unexpected access. This
would have to be done on purpose by the user, of course, and shouldn't happen
by accident.

For more info, see the man page for "chmod" and read about the "s" bit (mode
4000, or u+s).

Re: su within a ksh script?

Tom Chapel — Fri, 28 Jan 2000 09:01:36 GMT

Still unable to solve the problem. I tried the chmod u+s suggestion with the
following results:

Here's a look at the small test script. To be able to properly execute the
real script any user that runs it must assume the user id of user1.
[user2] /usr/local/bin> more test1.scr
id
exit
test1.scr: END

With normal permissions, the script returns the current uid 202(user2).
[user2] /usr/local/bin> ll test1.scr
-rwxr-xr-x 1 user1 users 8 Jan 28 09:30 test1.scr
[user2] /usr/local/bin> test1.scr
uid=202(user2) gid=20(users)

After chmod u+s, but with the same results.
[user2] /usr/local/bin> ll test1.scr
-rwsr-xr-x 1 user1 users 8 Jan 28 09:30 test1.scr
[user2] /usr/local/bin> test1.scr
uid=202(user2) gid=20(users)

For kicks I tried chmod 4000.....
[user2] /usr/local/bin> ll test1.scr
---S------ 1 user1 users 8 Jan 28 09:30 test1.scr
[user2] /usr/local/bin> test1.scr
ksh: test1.scr: cannot execute

Here's the needed results...but using su on screen.
[user2] /usr/local/bin> su user1
Password:
[user2] /usr/local/bin> test1.scr
uid=201(user1) gid=20(users)

I'm even willing to try the (not recommended) su inside the script, if it has a
possibility of working. I just need to know how to do it.
Any other ideas out there?

Thanks again for your help.

Re: su within a ksh script?

Dan Hull — Mon, 31 Jan 2000 16:52:13 GMT

I see what you mean. I haven't tested this, but I don't
think using the SUID will return the GID you are looking for. What it does is
allow the script to run stuff as if it had the same permissions it would have
if launched by the owner of the script. If your goal is to allow users access
to something they can't run manually, then you should be set. If you actually
need the "id" command to return a specific value, I don't know what you'll need
to do.

Note that the large "S" after your chmod 4000 indicates that there is no "x"
under it, so execute permission is denied.

Re: su within a ksh script?

Doug Van tol — Tue, 01 Feb 2000 11:52:40 GMT

I have used the "sticky" bit to allow users to execute a script as if they were
superuser. Place all the commands you would like run in the script, the use:
chown root:sys filename (or appropriate values) then I prefer to use chmod 4711
filename. This will give the user the ability to execute the script as if they
were su, but will disallow read/write access to all but the su. I've used this
method, to allow the average user the ability to reboot the system. Hopefully
this helps.

Doug

Re: su within a ksh script?

Dan Hull — Tue, 01 Feb 2000 17:03:13 GMT

FYI - What you are talking about is called the SUID bit, not the "sticky" bit.

The sticky bit is a different bit (the last one) and is used to tell the system
to keep the program "stuck" in memory after the first time it is executed.
That's where it gets its name! It's also known as the "save-text-image on file
execution" bit.

There's also a SET-Group-ID bit. More info on these bits can be found in the
man page for CHMOD(1) under the section "Miscellaneous mode bits".

Re: su within a ksh script?

Tom Chapel — Thu, 03 Feb 2000 15:40:51 GMT

To Dan & Doug: Thanks for your ideas, but none work for my needs, leaving me
with only the actual su command within the script. Dan, you mentioned in your
first reply "It is not recommended that you use su inside a script because it
can cause unpredictable results". I would like to test using the su command
inside my script, but simply don't know how to implement it.

How do you answer a prompt and press the enter key within a script? (Using su
online forces you to type the password, then press enter).

Thanks again for your thoughts.