Re: Script to allow non-root read acces to a root owned file

On 2007-01-16, Jim Howes <sewoh.mij@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Justin C wrote:
(Debian AMD64 unofficial stable)

There is a log file I don't want to give regular users direct access to
but I want to write a script that will grep that file for a string,
provided on the command line when calling the script, and return some
information.

Scripts can have no special privileges; Linux does not honour the suid bit on
scripts. However, scripts can of course run executables.

An executable can be installed, owned by root, with the suid bit set (or even
just the setgid bit set, if the file is owned by an appropriate group), and that
executable needs to do the necessary grepping of the file. The easiest way is
probably to hand it off to grep via a popen().

When you construct the grep and cut commands, do so defensively (i.e.
sanity-check any user supplied input (to avoid users fooling you into doing
something silly via a shell-injection attack like
grep foo bar ; rm -rf /* secretfile | cut -f1,4,5 -d,
instead of
grep somedata secretfile | cut -f1,4,5 -d,
Also, don't call grep, call /bin/grep or you'll have all sorts of fun with
people mucking about with $PATH;
Better still, do the entire grep-style operation yourself in the code.

I can see where you're coming from with that. The script will be mostly
for myself (it's a real PITA printing from mutt, suspending it, SUing,
grepping the file and going back to mutt for the next one) to use, but
there may be times others will use it. I've difficulty enough with their
lack of computer skills within pointy clicky environs - command lines
scare the bejaysus out of the lot of 'em.... but that's not to say the
next newbie won't be a closet geek.

I'm not rewriting grep... but, to be honest, it's not that hard to
'grep' in perl, even for someone of my limited ability.

The mention of executables, we're talking C or other binaries here
aren't we? That'll count me out. I've had a C book by Kernighan (sp?)
sat on my "to read" shelf for years, just haven't got around to it... so
that's not going to happen in the near future.

Looks like I'm going to have fun with this one... perhaps the first part
of the script copies the log file somewhere and chown's it or something,
can anyone see why that wouldn't work?


Justin.

--
Justin C by the sea.
.