HPE Community
Operating System - HP-UX
1834107 Members
2252 Online
110063 Solutions
New Discussion

Re: su within a ksh script?

 
Tom Chapel
Occasional Contributor

‎01-27-2000 07:57 AM

‎01-27-2000 07:57 AM

su within a ksh script?

Is there a way to use the switch users (su) command within a shell script?

I would like to allow regular users database access under the very-controlled
script environment without allowing them this access outside of the script. If
I could switch users back & forth within the script, I could provide this
limited service.

Thanks for your help.
0 Kudos
Reply
6 REPLIES 6
Dan Hull
Regular Advisor

‎01-27-2000 08:43 AM

‎01-27-2000 08:43 AM

Re: su within a ksh script?

It is not recommended that you use su inside a script because it can cause
unpredictable results. Some people do it and never report problems, but most of
the problems I've seen were related to database access.

Instead, consider using a compiled program with the appropriate access rights
that the users can execute. This way they can't do anything the script wasn't
written to do.

If you can't write a program to do it, you can use a script with the setuid bit
set. This will allow users to run the script, which will then execute as if it
were being run by the owner of the script itself.

This can lead to a security risk though, because anyone who can edit the script
or otherwise manipulate things could potentially gain unexpected access. This
would have to be done on purpose by the user, of course, and shouldn't happen
by accident.

For more info, see the man page for "chmod" and read about the "s" bit (mode
4000, or u+s).
0 Kudos
Reply
Tom Chapel
Occasional Contributor

‎01-28-2000 01:01 AM

‎01-28-2000 01:01 AM

Re: su within a ksh script?

Still unable to solve the problem. I tried the chmod u+s suggestion with the
following results:

Here's a look at the small test script. To be able to properly execute the
real script any user that runs it must assume the user id of user1.
[user2] /usr/local/bin> more test1.scr
id
exit
test1.scr: END

With normal permissions, the script returns the current uid 202(user2).
[user2] /usr/local/bin> ll test1.scr
-rwxr-xr-x 1 user1 users 8 Jan 28 09:30 test1.scr
[user2] /usr/local/bin> test1.scr
uid=202(user2) gid=20(users)

After chmod u+s, but with the same results.
[user2] /usr/local/bin> ll test1.scr
-rwsr-xr-x 1 user1 users 8 Jan 28 09:30 test1.scr
[user2] /usr/local/bin> test1.scr
uid=202(user2) gid=20(users)

For kicks I tried chmod 4000.....
[user2] /usr/local/bin> ll test1.scr
---S------ 1 user1 users 8 Jan 28 09:30 test1.scr
[user2] /usr/local/bin> test1.scr
ksh: test1.scr: cannot execute

Here's the needed results...but using su on screen.
[user2] /usr/local/bin> su user1
Password:
[user2] /usr/local/bin> test1.scr
uid=201(user1) gid=20(users)

I'm even willing to try the (not recommended) su inside the script, if it has a
possibility of working. I just need to know how to do it.
Any other ideas out there?

Thanks again for your help.
0 Kudos
Reply
Dan Hull
Regular Advisor

‎01-31-2000 08:52 AM

‎01-31-2000 08:52 AM

Re: su within a ksh script?

I see what you mean. I haven't tested this, but I don't
think using the SUID will return the GID you are looking for. What it does is
allow the script to run stuff as if it had the same permissions it would have
if launched by the owner of the script. If your goal is to allow users access
to something they can't run manually, then you should be set. If you actually
need the "id" command to return a specific value, I don't know what you'll need
to do.

Note that the large "S" after your chmod 4000 indicates that there is no "x"
under it, so execute permission is denied.
0 Kudos
Reply
Doug Van tol
Occasional Contributor

‎02-01-2000 03:52 AM

‎02-01-2000 03:52 AM

Re: su within a ksh script?

I have used the "sticky" bit to allow users to execute a script as if they were
superuser. Place all the commands you would like run in the script, the use:
chown root:sys filename (or appropriate values) then I prefer to use chmod 4711
filename. This will give the user the ability to execute the script as if they
were su, but will disallow read/write access to all but the su. I've used this
method, to allow the average user the ability to reboot the system. Hopefully
this helps.

Doug
0 Kudos
Reply
Dan Hull
Regular Advisor

‎02-01-2000 09:03 AM

‎02-01-2000 09:03 AM

Re: su within a ksh script?

FYI - What you are talking about is called the SUID bit, not the "sticky" bit.

The sticky bit is a different bit (the last one) and is used to tell the system
to keep the program "stuck" in memory after the first time it is executed.
That's where it gets its name! It's also known as the "save-text-image on file
execution" bit.

There's also a SET-Group-ID bit. More info on these bits can be found in the
man page for CHMOD(1) under the section "Miscellaneous mode bits".
0 Kudos
Reply
Tom Chapel
Occasional Contributor

‎02-03-2000 07:40 AM

‎02-03-2000 07:40 AM

Re: su within a ksh script?

To Dan & Doug: Thanks for your ideas, but none work for my needs, leaving me
with only the actual su command within the script. Dan, you mentioned in your
first reply "It is not recommended that you use su inside a script because it
can cause unpredictable results". I would like to test using the su command
inside my script, but simply don't know how to implement it.

How do you answer a prompt and press the enter key within a script? (Using su
online forces you to type the password, then press enter).

Thanks again for your thoughts.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.