Allowing file changes only by a particular program.

[Daedelus]

I am trying to set up a database program so that the only way to change the database is through my program. I thought I had the answer in using the "set user ID to file owner" capacity of chmod ("chmod u+s&quot. I sounds to me from the description I have that when this is set on the program and anyone runs it, it will run as if I were the user and can write to a file for which only I have write-access. Unfortunately, when I have tried to set this up, it does not work. Other users cannot access my file. Can anyone tell me what I am doing wrong, or suggest another method of not allowing access to a file except by a particular program?
Here is a complete description of a test I did of this:
1)Created a file "temp" with junk content.
2)entered "chmod a-r temp", and then "chmod u+r temp", to make sure only I could read the file
3)Created a script "tst" with one line: "cat (path)/temp". (path being the complete path to the file)
4)entered "chmod a+x tst" and "chmod a+s tst"
5)Ran "tst" to confirm that it would display the contents of "temp" for me.
6)I asked another member of my group to run (path)/tst
7)The results for him were:
cat: cannot open (path)/temp

Any ideas?

 

[dchoulette]

I just did the test you describe.
It does not work if I do not put

#!/bin/sh

as the first line of the script.
If I add this line, it works.

Though I do not know why. Someone has the answer ?

I think it is a problem with the default interpreter.

 

[Daedelus]

I just tried adding
#!/bin/sh
as the first line, but it still is not working for me. The standard shell here is a version of the Korn shell, by the way.

 

[Chapter11]

Many implementations of unix do not observe suid bits on shell scripts.

 

[Daedelus]

So for security reasons, I CAN'T secure my database?
Well, thanks anyway to both of you.
Since I have now tried every shell available to me, and they all fail, does anyone have any suggestions on alternative ways to restrict access to a file to a single program?

 

[Chapter11]

It's roundabout, but yes. Use sudo. You'll have to write a couple of layers of scripting around the whole mess, but it can be done (done it several times), and it will be more secure than using suid bits.

 

[Daedelus]

What is sudo? There is no documentation for it on this system, and my unix reference manual (called UNIX COMPLETE, but I have come to believe a typo left "IN" off the front of the second word) does not mention it either. It may not be implemented on this system, though I have not looked into all the possible hiding places yet.

 

[Chapter11]

If "which sudo" doesn't find it, you'll have to install it (assuming you're the sysadmin). If not, you're running out of luck. The "desparation" method is to write a C wrapper, you should be able to flag that suid since the compiled version is a true binary instead of a shell script.

 

[Daedelus]

I was afraid of that. I'm about as far from a sysadmin as you can get. I just the guy in my group who writes quick unix scripts to solve problems for which we don't want to wait several months until the programmers can get to it. Thanks for all your help though.

 

[mrn]

Get Sudo at

http://www.courtesan.com/sudo/

But I'm not sure that's what your after, If you want to restrict access to a file just do the following

create a new group using the groupadd command
add users to the group
use chmod to allow rwx for the group on your file
use chown to set yourname:groupname yourfile

Now anyone in that group should be able to make the changes

Mike

--
| Mike Nixon
| Unix Admin
|

http://www.instantflashshop.com

----------------------------

 

[jamisar]

it's not a good idea to run sut uid shells,( a c-programm is better)
try: cat >the-dirty-file

#!/bin/sh -p
allowedid=1234
case `/bin/id` in *($allowedid)*) ;; *) exit 1;; esac

### do the job
exit 0
^D
you need read and exec permission
chown 0 the-dirty-file
chmod [64]755 the-dirty-file, 6 for grp, 4 for usr