LeRoy Cressy on Sun, 4 Nov 2001 20:50:26 +0100


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] [linux] Shell script madness (fwd)


"Arthur S. Alexion" wrote:
> 
> Could someone on this list please help?  Jim has helped me considerably
> on the other list.
> 
> art
> 
> --- begin forwarded text
> 
> From: Jim Garrison <jimg@legalcs.com>
> To: "Linux use in the law office" <linux@lists.elder-law.com>
> Subject: [linux] Shell script madness
> Date: Thu, 1 Nov 2001 22:53:17 -0700
> 
> I'm sure that this is Bash 101, but it's making me crazy.
> 
> I have a shell script to start up Chrony, the clock-align utility.
> The script is pretty simple:
> 
> #! /bin/bash
> cat <<EOF | /usr/local/bin/chronyc
> password blablabla
> online
> EOF
> 
> "blablabla" is the root password. "chronyc" (the client) requires
> root privileges in its communications with "chronyd" (the daemon).
> 
> That's all good and fine.
> 
> My madness is trying to make this script secure. No-one but su should
> be able to read it. Otherwise the root password will be wide open to
> prying eyes. The script is owned by root, is assigned to the "users"
> group, and has its permissions set at 750 (rwx r-x ---). Works fine
> there. But that gives read privileges to users. So I try setting
> permissions at 710 (rwx --x ---) so that the group only has execution
> 
> privileges. This results in "permission denied".
> 
> Shouldn't execute privileges be enough to run the script? Why does it
> require read privileges? What do I do to secure it so that it is
> executable by the "users" group while only being readable by root?
> 
> BTW, the script is in /usr/local/bin.
> 
in order to execute a script you have to be able to read the script.  

Possible solutions:
set permissions to 700
run the script from the root crontab, and bury in in a directory which
only root is able to read.  Directory premissions 700

This will prevent anyoun from even seeing the file without knowing the
filename.  

It is still bad policy to put an unencrypted password in a shell script
even if it is hidden.

I've never tried this, but it might be possible to read the /etc/shadow
encrypted passwords for user ID 0 using dcryption method that login or
passwd uses.  Maybe looking at the source of these two utilities might
prove useful.  Then you would have to put the root password in the
script.  You probably would have to make a utility in C to do this with
no user input.

> - Jim
> 
> James V. Garrison, Esq.
> Legal Computing Services
> P.O. Box 728
> Pleasant Grove, UT 84062-0728
> jimg@legalcs.com
> 
> --- end forwarded text
> ____________________________________
> Art Alexion
> Arthur S. Alexion LLC
> ----------------
> 215-884-5828
> ----------------
> arthur @alexion.com
> www.alexion.com
> 
> ______________________________________________________________________
> Philadelphia Linux Users Group       -      http://www.phillylinux.org
> Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug

-- 
Rev. LeRoy D. Cressy   mailto:lcressy@telocity.com   /\_/\
                       http://www.netaxs.com/~ldc   ( o.o )
                       Phone:  215-535-4037          > ^ <

Jesus saith unto him, I am the way, the truth, and the life: 
no man cometh unto the Father, but by me. (John 14:6)


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug