HPE Community
Operating System - HP-UX
1833756 Members
2547 Online
110063 Solutions
New Discussion

Disable ability to run a shell script

 
SOLVED
Go to solution
Don Bentz
Regular Advisor

‎03-30-2005 07:05 AM

‎03-30-2005 07:05 AM

Disable ability to run a shell script

aside from the obvious permissions solution for individual script files, is there a way to simply prevent persons outside a given group from executing a script from the command line? I realize that there are many programs (ll, cp, mv) that need to be utilized by just about anybody on the system, but I am trying to find a way to secure certain shell scripts. We would like to be able to keep people (i.e., developers) from "launching" a production script in a similar fashion as other environments (i.e., IBM Mainframes).
Insecurity is our friend. It keeps you dependent.
0 Kudos
7 REPLIES 7
Rodney Hills
Honored Contributor

‎03-30-2005 07:10 AM

‎03-30-2005 07:10 AM

Re: Disable ability to run a shell script

At our site production users are a member of one group, and developers another. Then the production files only have group write access to the production users. A developer is not able to directly update the production data files.

HTH

-- Rod Hills
There be dragons...
0 Kudos
Biswajit Tripathy
Honored Contributor

‎03-30-2005 07:17 AM

‎03-30-2005 07:17 AM

Re: Disable ability to run a shell script

You could add few lines at the beginning of the
script to decide. Something like:

grp_id=$(id -g)
# Assuming 20 is the group id of the group
# you want to give execute permission
if [ $grp_id -ne 20 ]
then
echo "Sorry, no permission"
fi

- Biswajit
:-)
0 Kudos
Don Bentz
Regular Advisor

‎03-30-2005 07:20 AM

‎03-30-2005 07:20 AM

Re: Disable ability to run a shell script

Actually what I am referring to has to do with maintaining a legitimate "change control" method, i.e., the developer "logs out" a program, makes modifications and then has the "production group" move it back to production. I'm not sure what I can do to prevent the developer, after having made those modifications from "submitting" this script.
Insecurity is our friend. It keeps you dependent.
0 Kudos
TwoProc
Honored Contributor

‎03-30-2005 07:21 AM

‎03-30-2005 07:21 AM

Re: Disable ability to run a shell script

I can think of three ways:
A) permissions to the file
B) Check permisssions in the program itself - like the previous posting. I like this one, and if you add in some trap statements, it works well.
C) Create a new user that can run the selected processes - and give access to these commands via sudo. I've used this on too, and like it for secure processes.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Bill Hassell
Honored Contributor

‎03-30-2005 08:14 AM

‎03-30-2005 08:14 AM

Solution

Re: Disable ability to run a shell script

What you're describing is the classic sourcecode control system and this cannot be solved with permissions. You need a reference library where code is checked-out and checked-in, along with tracked code changes (what and by whom). The classic (but tedious) Unix method is SCCS (man sccs) but I suspect that developers may not always play by the rules (that's already apparent). I assume that the production servers are immune from casual developer changes (they are, right???). If development occurs on the same machine, perhaps it would be interesting to develop a cost associated with mistakes due to lack of sourcecode controls. Then look at some commercial solutions.


Bill Hassell, sysadmin
0 Kudos
Don Bentz
Regular Advisor

‎03-30-2005 08:17 AM

‎03-30-2005 08:17 AM

Re: Disable ability to run a shell script

Well, that's what I wanted to know, or more correctly, what I suspected. Thanks, everybody.
Insecurity is our friend. It keeps you dependent.
0 Kudos
Don Bentz
Regular Advisor

‎03-30-2005 08:21 AM

‎03-30-2005 08:21 AM

Re: Disable ability to run a shell script

Whoops, thanks again.
Insecurity is our friend. It keeps you dependent.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.