Xref: utzoo comp.unix.questions:18255 comp.unix.wizards:19633
Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uunet!virtech!cpcahil
From: cpcahil@virtech.uucp (Conor P. Cahill)
Newsgroups: comp.unix.questions,comp.unix.wizards
Subject: Re: ksh executing a file without read permission
Keywords: ksh security
Message-ID: <1989Dec7.194028.5875@virtech.uucp>
Date: 7 Dec 89 19:40:28 GMT
References: <5516@hplabsb.HP.COM>
Organization: Virtual Technologies Inc.
Lines: 32

In article <5516@hplabsb.HP.COM>, quan@hplabsb.HP.COM (Suu Quan) writes:
> Ksh question:
> 
> In "The KORN shell Command and Programming language", by Bolsky & Korn,
> Part I INTRODUCTION, page 6.
> 
> 	"BETTER SECURITY. Ksh allows a system administrator to log and/or
> 	disable all priviledged scripts. On current UNIX systems, users need
> 	read permission to execute a script. With ksh, a system administrator
> 	can allow ksh to read and execute a script without giving a user
> 	permission to read it"
> 
> Exactly what I want : have a file with permissions --x--x--x
> and have everyone execute it without being able to read it.
> 
> How do you do it ?

The manual is talking about "privileged scripts" otherwise known as setuid 
scripts.  When ksh is invoked to run a script file that has setuid bits set,
it invokes a setuid-root program which will then set it's effective ids as 
is appropriate.  Since this is a setuid root program, it can
read any file on the system reguardless of the modes of said file.

Note that only the specal program to set uids can read whatever file, not 
the script itself.


-- 
+-----------------------------------------------------------------------+
| Conor P. Cahill     uunet!virtech!cpcahil      	703-430-9247	!
| Virtual Technologies Inc.,    P. O. Box 876,   Sterling, VA 22170     |
+-----------------------------------------------------------------------+