Password protect a file/directory

[eeluve]

Things like pgp are very nice in terms of cryptography, and going through some manuals, I will now gladly use such tools for its purpose. But what if you don't want to encrypt a file, but set a password. For example during some package/port installation calling for a system script which is protected this way would prompt for a secret phrase. Also calling this script from the command line aswell as any similar actions would all require the password and maybe also accept it only from certain user/group(somewhat reminds me of insecure ttys settings, so definately possible to realize). Any possibilities to implement it on FreeBSD? I myself wasn't able to find this exact tool/utility over the Internet(not talking about http access of course).

 

[SirDice]

No, that's not possible. You can however set permissions and only allow certain users or groups access.

 

[eeluve]

Sad, thank you.

 

[SirDice]

You're basically already using it. When installing packages, it needs to be done as root. A 'regular' user doesn't have the correct privileges. That's why you use su(1) or sudo(8), type the password and continue.

 

[eeluve]

That was just an example, talking about port installation. I would love to block any form of launching the script for the person, unless they receive a password from me. SirDice, please check post #11 in this thread http://forums.freebsd.org/showthread.php?p=181913#post181913. I was following all of your instructions on that, but the bug(if that is a bug) still persists.

 

[diolu]

This is certainly possible. The question is that how easy is to implement. You can write a suid program that ask a password and perform the action ifthe pasword is correct. That's exactly what su(1) does. That said, it does seem that it is possible to implement what you say with the help of sudo(1). Give your user the permission to execute your launcher script (this script should have 0700 permission and owned by root):

#! /usr/local/bin/bash
read -p "Enter your password: " pass
if [ "$pass" == "very-secret-password" ] ; then
   echo "Password correct"

 

[diolu]

Sorry my previous message is incomplete, I have made an error. Here is the sequel:

#! /usr/local/bin/bash
read -p "Enter your password: " pass
if [ "$pass" == "very-secret-password" ] ; then
  echo "Password correct"
  pkg_add -r ............
else
  echo "Password incorrect"
  exit 1
fi

While I do see obvious security holes if sudo(1) is correctly configured (in particular regarding the environment variables, I would be careful if security is really important. Fast custom scripts are generally easy to attack.

 

[fluca1978]

Sorry my previous message is incomplete, I have made an error. Here is the sequel:

#! /usr/local/bin/bash
read -p "Enter your password: " pass
if [ "$pass" == "very-secret-password" ] ; then
  echo "Password correct"
  pkg_add -r ............
else
  echo "Password incorrect"
  exit 1
fi

While I do see obvious security holes if sudo is correctly configured (in partixular regarding the environment variables, I would be careful if security is really important. Fast custom scripts are generally easy to attack.[/quote]

Is setuid working for scripts? I thought it was working only for binaries. And besides, making the script with permission 0700 will make any user but root be able to execute it.
I guess [man=1]sudo[/man] is the correct way to go, and all other self-made scripts/programs are just a security risk.

 

[SirDice]

I wouldn't use bash(1) for this, use the standard /bin/sh. It's also not very smart to put the password inside the script. It's quite easy to read it.

 

[SirDice]

Is setuid working for scripts? I thought it was working only for binaries.

Correct. Setting SUID on a script doesn't work.