in reply to Execute But Not Read

I think the Perl interpreter needs to be able to read the contents of the file, so chmod 711 won't work for programs interpreted at run-time. You could go suid, chmod 4111, but that is ALL to dangerous. A safer solution would be something like Solaris RBAC (Role Based Access Control), or BSD MAC (Mandatory Access Control).

Replies are listed 'Best First'.
Re^2: Execute But Not Read
by hsinclai (Deacon) on Jan 21, 2005 at 06:18 UTC
    You could go suid, chmod 4111, but that is ALL to dangerous.
    Well you cannot execute a script on either FreeBSD or Linux that has the SUID bit set ..

    OK, you still end up with an SUID program, but what about putting the real Perl script in a directory that users cannot read, then calling it with this wrapper: 
    /*  wrapper.c  */

#define REAL_PATH "/usr/local/bin/secret/secret.pl"
      main(ac, av)
          char **av;
          
      {
          execv(REAL_PATH, av);
      }

    [download]

    Compile it:  cc -o secret wrapper.c

    Put the real script in the unreadable directory: 
    # mkdir /usr/local/bin/secret
# cp secret.pl /usr/local/bin/secret/
# chmod -R 0711 /usr/local/bin/secret/

    [download]

    Make the wrapper you just compiled SUID root: 
    # chown root:root secret
# chmod 4711 secret

    [download]

    A unprivileged user should be able to execute the "secret" program, but not read the real Perl code.. so how dangerous would it be to have this suid program around? Maybe in the Perl script you could make sure no arguments are passed in as a first level precaution.. ? I know, it's a Bad Thing.

    You could also just compile the perl script into an executable with perlcc - I don't believe you can see the source code.

[reply]
[d/l]
[select]
      you don't have to use the big gun (root user) to hide the script from 'normal' users. just create an extra user (with no extra privileges) and chown/chmod the directory/script to him.
[reply]
      ~/runnables> su
Password:
tmodel# uname
FreeBSD
tmodel# chown root:wheel test.pl
tmodel# chmod 4711 test.pl
tmodel# exit
exit
~/runnables> more test.pl
test.pl: Permission denied
~/runnables> ./test.pl
At 6:00 AM, Seatac Airport, WA conditions were cloudy skies at  52&deg
+;F,wind was east at 5 mph.  The relative humidity was  97%, and barom
+etric pressure was falling from 30.05 in.

      [download]
      But using Access Control is safest.
[reply]
[d/l]

In Section Seekers of Perl Wisdom