-----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: Friday, April 2, 2021 5:48 AM To: [email protected] Subject: [External] Re: No file permissions or super user authority for executing a shell script
W dniu 01.04.2021 o 22:01, Robert Hahne pisze: > Greetings , > > Is there a way a user can be allowed to execute a unix shell script in batch > without changing the file permission bits or granting SUPERUSER authority ? > > Currently the file has got 700 and the user is not the owner of the > file . Any suggestions would be great > > Short answer: NO. Longer answer: No. :-) Even superuser cannot execute script which is not marked as x (executable). Of course superuser can change it using chmod command. However this is a script - some text file. Even regular user can run it - assuming he have r right he can copy the script to other file and chmod the file to x. Of course it doesn't mean the user will have intended authorities and sometimes script have relative paths in the code, so it won't work correctly without modifications. In your case the user has 0 (---) authorities - than means zero. Nothing. Fine print: the above is NOT TRUE :-) We don't know all the true, because we don't know the path and authorities. 700 is enough to delete the file assuming the user has WRITE to the directory. He can't read it, he can't execute it, he can't write it, bu he can delete it. It is more than nothing. -- Radoslaw Skorupka (looking for new job) Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN I'm asking this from a "I don't know" standpoint because I've never used them. Doesn't RACF have extended ACLs that could possibly come into play here? As in using RACF to grant read or execute authority to the script? If so, how would that be shown? I would assume that the "normal" Unix security would remain at 700 but the extended ACL would allow the access and show up elsewhere? Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
