Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Allowing users to execute shell scripts without seeing password

Re: Allowing users to execute shell scripts without seeing password

From: Michael Haddon <m.haddon_at_comcast.net>
Date: Sat, 18 Feb 2006 09:50:25 -0600
Message-ID: <43F74241.20208@comcast.net> 




  


Just for my .02 - The setuid bit sets the effective userid of the user
calling the program to the user/group that owns the program. During the
course of execution the program can accomplish any task, good or evil,
that the owner can do.



For example, the example posted below by Joseph. The example shows the
program tmp.ksh is owned by 'oracle' and belongs to group 'dba'.



If the calling user can cause the script/program to core dump or quit
abnormally there used to be a very strong chance that the effective
userid of the calling user would still be 'oracle'. This showed up
years and years, (late 80's, early 90's), ago with the 'at' command in
some pre SysVR4 systems. If you could core dump the at command while it
was running, you were root.



Now, today, most programs and shells have specific signal handling code
for this, but, you have to treat the command as sensitive at minimum.



Mike



Joseph Amalraj wrote:


  
Security concerns ? Mark, please elaborate.

  
 

  
Thanks

  

  "Bobak, Mark" <Mark.Bobak@il.proquest.com>
wrote:

  

    
Interesting....I can confirm
that it works on Sparc-Solaris 9.

    
 

    
I thought suid shell scripts
were a thing of the past, due to security concerns.  Seems they still
work.....

    
 

    
-Mark

    
 


    
-- 

    Mark J. Bobak 

    Senior Oracle Architect
    

    ProQuest Information & Learning 

    
"Exception:  Some dividends
may be reported as qualified dividends but are not qualified
dividends.  These include: 

    
? Dividends you received on
any share of stock that you held for less than 61 days during the
121-day period that began 60 days before the ex-dividend date.&
nbsp; The ex-dividend date is the first date following the declaration
of a dividend on which the purchaser of a stock is not entitled to
receive the next dividend payment. When counting the number of days you
held the stock, include the day you disposed of the stock but not the
day you acquired it. See the examples below. Also, when counting the
number of days you held the stock, you cannot count certain days during
which your risk of loss was diminished.  See Pub. 550 for more details.?

    
  --IRS, Form 1040-A
Instruction Booklet, Line 9b:  Qualified Dividends 

    
 

    

    

    
 From:
    oracle-l-bounce@freelists.org
[mailto:oracle-l-bounce@freelists.org]
    On
Behalf Of Joseph Amalraj

    Sent: Friday, February 17, 2006 5:04 PM

    To: oracle-l@freelists.org

    Subject:  RE: Allowing users to execute shell scripts
without seeing password

    

    

    
I think this is plaform dependent.

    
 

    
On HP-UX  i created a file under user "oracle" tmp.ksh

    
> cat tmp.ksh

#!/usr/bin/ksh

date

    

    
then ran

    
chmod 7711 tmp.ksh

    

    
> ls -l tmp.ksh

-rws--s--x   1 oracle     dba             20 Feb 17 16:51 tmp.ksh

    

    
From another user I ran

    
 $ /opt/oracle/tmp.ksh

Fri Feb 17 16:57:06 EST 2006

    

    
Saving the file using "vi" resets the mode setuid bit.

    
 

    
So it has to be set again

    
 

    
 

    
This doesn't work in AIX

    
 

    
Regards

    
 

    
Joseph

    
 

    
 

    


    

    < I>Ken Naim <kennaim@gmail.com>
wrote:

    
I
am probably not be reading enough into the question, but here are my 2

cents; just set permission to execute only with no read or write access.

      

Ken Naim 

      

-----Original Message-----

From: oracle-l-bounce@freelists.org
[mailto:oracle-l-bounce@freelists.org]

On Behalf Of Radoulov, Dimitre

Sent: Friday, February 17, 2006 12:36 PM

To: oracle-l@freelists.org

Subject: Re: Allowing users to execute shell scripts without seeing
password

      

Got error, trying to resend ...

      

> I've been trying to figure out a way that I can have my users
allowed 

> to login to the server (HP-UX) with their own account and run a
shell 

> script that's owned my me ...

> but I don't want them to be able to see the password.

> I had no luck just granting them execute on the shell script, t
hey had 

> to have read priviledges in order to execute it apparently.

> Any suggestions??

      

As suggested on comp.unix shell you can use shell script compiler.

      

You can try Francisco Javier Rosales Garcí¡¦#39;s shc:

      

Home page:

      http://www.datsi.fi.upm.es/~frosal/

      

Download link:

      http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.3.tgz

      

      

      

Regards,

Dimitre

      

--

      http://www.freelists.org/webpage/oracle-l

      

      

--

      http://www.freelists.org/webpage/oracle-l

      

      

    

    


    

  

  


  






--
http://www.freelists.org/webpage/oracle-l
Received on Sat Feb 18 2006 - 09:50:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US