How can I set file to be executable only to other users but not readable/writable, the reason for this I'm executing something with my username but I don't want to give out the password. I tried :
chmod 777 testfile chmod a=x chmod ugo+x I still get permission denied when executing as another user.
There's a half truth to the previous statements. You can setup a script so that it's not readable by the user, but still executable. The process is a little drawn out, but it's doable by making an exception in /etc/sudoer so that the user can run the script as yourself temporarily without being prompted for a password. Example below:
Some script I want to share with a user:
me@OB1:~/Desktop/script/$ chmod 700 somescript.pl me@OB1:~/Desktop/script/$ ls -l somescript.pl -rwx------ 1 me me 4519 May 16 10:25 somescript.pl Make a shell script that calls 'somescript.pl' and save it in /bin/ :
me@OB1:/bin$ sudo cat somescript.sh [sudo] password for me: #!/bin/bash sudo -u me /home/me/Desktop/script/somescript.pl $@ OPTIONAL STEP Make a symlink to somescript.sh in /bin/:
sudo ln -s /bin/somescript.sh /bin/somescript Make sure the shell script is readable/executable to the user (no write access):
sudo chmod 755 /bin/somescript.sh me@OB1:/bin$ ls -l somescript* lrwxrwxrwx 1 root root 14 May 28 16:11 somescript -> /bin/somescript.sh -rwxr-xr-x 1 root root 184 May 28 18:45 somescript.sh Make exception in /etc/sudoer by adding these lines:
# User alias specification User_Alias SCRIPTUSER = me, someusername, anotheruser # Run script as the user 'me' without asking for password SCRIPTUSER ALL = (me) NOPASSWD: /home/me/Desktop/script/somescript.pl PROOF IN THE PUDDING:
someuser@OB1:~$ somescript ***You can run me, but can't see my private parts!*** someuser@OB1:~$ cat /home/me/Desktop/script/somescript.pl cat: /home/me/Desktop/script/somescript.pl: Permission denied This method should be better than trying to obfuscate with Filter::Crypto or PAR::Filter::Crypto or Acme::Bleach which can be reversed engineered by a determined user. Same goes for compiling your script to binary. Let me know if you find something wrong with this method. For more advanced users you may want to remove the User_Alias section completely and replace SCRIPTUSER with '%groupname'. This way you can manage your script users with usermod command.
You need both read and execute permissions on a script to be able to execute it. If you can't read the contents of the script, you aren't able to execute it either.
tony@matrix:~$ ./hello.world hello world tony@matrix:~$ ls -l hello.world -rwxr-xr-x 1 tony tony 17 Jul 13 22:22 hello.world tony@matrix:~$ chmod 100 hello.world tony@matrix:~$ ls -l hello.world ---x------ 1 tony tony 17 Jul 13 22:22 hello.world tony@matrix:~$ ./hello.world bash: ./hello.world: Permission denied 
If you let other users execute a program, then they can know everything the program is doing, whether the program file is readable or not. All they need to do is point a debugger (or debugger-like program such as strace). A binary executable can run if it's executable and not readable (a script can't, because the interpreter needs to be able to read the script), but this doesn't give you any security.
If you want others to be able to execute your program as a black box, without letting them see exactly what the program is doing, you need to give your script elevated privileges: make it setuid to your user. Only root can use debugging tools on setuid programs. Note that writing secure setuid programs isn't easy, and most languages aren't suitable; see Allow setuid on shell scripts for more explanations. If you're going to write a setuid program, I strongly recommend Perl, which has a mode (taint mode) that's explicitly intended to make secure setuid scripts possible.
