permission execute only

[dumbdumb]

Hi all,

How to set permission to a file in /bin so users can't view (using pico), execute only.
I've tried this :

chmod 711 filename

so it become :
-rwx--x--x 1 root wheel 570 Jan 28 15:45 filename

yes the users can't view (using pico) the file but also can't execute from their /home/user directory, it said :
/bin/filename: Permission denied.

So i don't want users to view, edit, etc, but only run it from their directory.

Anyone can help me?
Thank you

 

[SirDice]

Why? They can't edit anyway as they have no write access. What's wrong with them having read access?

 

[dumbdumb]

Well it's a script file and it just wrong for me if they can read the file.

 

[aragon]

Well it's a script file and it just wrong for me if they can read the file.

If you have to hide the functionality of software then there's something you're doing wrong...

 

[dumbdumb]

Ok so chmod won't work in my case, thanks anyway

 

[SirDice]

Well it's a script file and it just wrong for me if they can read the file.

Security through obscurity never works.

 

[mix_room]

And how would you be able to execute a file that you cannot read? If your user does not have to rights to read the file, they cannot find out which commands to execute.

 

[dumbdumb]

So,
chmod 711 or -rwx--x--x attribute is useless?
Do you guys have any idea regarding my case instead of asking my lack knowledge of this?

Thank you

 

[fronclynne]

Hmm, I agree philosophically with dumbdumb, but I'm not going to argue.

You can use security/sudo & change the owner to a user that has no login. sudo should be fine grained enough to permit someone to execute it (with normal user privileges) while not permitting someone to actually see the file.

 

[sixtydoses]

You could try using misc/shc to encode your script. It won't guarantee that your executable script will be 'safe', but yea, it fits your need.

The usage is easy too, just run shc -f <your_executable_script>, and it will convert it into a binary form. And with that, -rwx--x--x means something.

Example with a file that will just echo 'something':

[od@meh ~]$ ls -l
total 2
-rwxr-xr-x  1 od  od  28 Apr  5 15:01 abc
[od@meh ~]$ ./abc  
something
[od@meh ~]$ shc -f abc
[od@meh ~]$ ls -l
total 24
-rwxr-xr-x  1 od  od     28 Apr  5 15:01 abc
-rwx--x--x  1 od  od  12184 Apr  5 15:01 abc.x
-rw-r--r--  1 od  od   9420 Apr  5 15:01 abc.x.c
[od@meh ~]$ ./abc.x
something

abc.x is the 'encoded' script that you'd be using. Unreadable, executable.

 

[dumbdumb]

thank you fronclynne & sixtydoses for the information, i think shc will suit my needs, thanksss

 

[chrcol]

Security through obscurity never works.

people say that but it fools automated tools.

whats more accurate is you shouldnt rely on obscurity only.

 

[fronclynne]

Not that I even know what Polonium 210 is . . .

people say that but it fools automated tools.

whats more accurate is you shouldnt rely on obscurity only.

Agreed. Back when I had port 22 open to the universe those bots would use up 50% of my bandwidth and some 30% CPU hammering at my sshd. The simple expedient of changing my banner to the same string that debian's ftp server sends dropped the number of attempts by 90%. Again, moving sshd up to 6800 or so, while conforming to the "security through obscurity" model dropped the attacks from several thousand a day to zero.

It had exactly nothing to do with whether my server was secure or not (even with thousands a day, nothing ever got in), and everything to do with not paying for other people to clog up my internet link with their useless sshd bots. A truly proactive admin would have tracked down the bots by IP and quietly assassinated the netblock owners, but I have better things to do with my time than travel to Russia every other weekend, trying to smuggle Polonium across international borders. Not that I would use Polonium (in most cases).