Xref: utzoo comp.unix.questions:18262 comp.unix.wizards:19635
Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uwm.edu!rpi!nisc.nyser.net!rodan!jdpeek
From: jdpeek@rodan.acs.syr.edu (Jerry Peek)
Newsgroups: comp.unix.questions,comp.unix.wizards
Subject: Re: ksh executing a file without read permission
Keywords: ksh security
Message-ID: <1488@rodan.acs.syr.edu>
Date: 7 Dec 89 13:39:28 GMT
References: <5516@hplabsb.HP.COM>
Reply-To: jdpeek@rodan.acs.syr.edu (Jerry Peek)
Organization: Syracuse University, Syracuse, NY
Lines: 26

In article <5516@hplabsb.HP.COM> quan@hplabsb.HP.COM (Suu Quan) writes:
> 	"BETTER SECURITY. Ksh allows a system administrator to log and/or
> 	disable all priviledged scripts. On current UNIX systems, users need
> 	read permission to execute a script. With ksh, a system administrator
> 	can allow ksh to read and execute a script without giving a user
> 	permission to read it"
> 
> Exactly what I want : have a file with permissions --x--x--x
> and have everyone execute it without being able to read it.
> How do you do it ?

We have ksh-i on our system.  We didn't use the suid_exec program, but
here's a paragraph from the ksh src/README file that explains it:

  The binary for ksh-i  becomes the file named ./ksh which can be copied to
  where ever you install it.  If you want ksh-i to be able to run setuid/gid
  shell scripts, or scripts without read permission, then it must be installed
  in the /bin directory, the /usr/bin directory, or the /usr/lbin directory
  and the name must end in sh. The program suid_exec must be installed in the
  /etc directory, must be owned by root, and must be a suid program.  If
  you must install ksh-i in some other directory and want to be able to run
  setuid/setgid and execute only scripts, then you will have to change the
  source code file sh/suid_exec.c explicitly.

--Jerry Peek; Syracuse University Academic Computing Services; Syracuse, NY
  jdpeek@rodan.acs.syr.edu, JDPEEK@SUNRISE.BITNET        +1 315 443-3995