inconsistency on read/execute permissions for shell procedures

Robert Elz kre at ucbvax.ARPA
Sun Jul 7 17:47:23 AEST 1985 

In article <264 at tove.UUCP>, steve at tove.UUCP (Steve D. Miller) writes:
> In article <761 at wanginst.UUCP> gill at wanginst.UUCP (Timothy Gill) writes:
> >All of the UNIX documentation I read states that programs and other
> >executable files (shell procedures) are equivalent....
> >                             ......  For a shell procedure to run for
> >those users, there must also be read permission on the file:
> >
> >This is clearly inconsistent. ...
> 
>    I admit that it's inconvenient; maybe someone else has a better
> workaround than the one I use (I rewrite it in C).
> -- 

On 4.2, you can create a new (not used for anything else) group,
and make the shell script setgid to that group (it must be a #!
type shell script).  Then make its permissions be 2751.  (Setgid,
rwx to the owner, rx to the group, and x only to the rest of the
world (everyone bar the owner, as by construction, there is no-one
in the group))

Then the shell will start up in the group of the script, and be
able to open it.  If the process running the script was also
setgid (to a different group) you lose, but apart from that
this works.  (The process remains in all the groups that it was
in, so doesn't lose permission to access any files, and groups
are used for nothing else (file creation group is inherited from
the parent directory))

All set[ug]id shell scripts have security problems, but here
you have nothing much to lose.  All a security cracker here
can get is access to the new group, and all that enables him
to do is read the shell script (or scripts) - which without
this hack he must be able to do to execute them.  So, don't
rely on this to protect secret data in the scripts, but if
all you want it to stop people prying into your horrible sh
(or worse, csh) coding techniques, then it will serve.

This can't work on SysV, as groups are used for file creation,
and there is no such thing as a setgid sh script anyway.

Robert Elz

ps: On 4.3 the '-b' flag must be included on the #! line for the shell.

More information about the Comp.unix mailing list