W dniu 02.04.2021 o 15:26, Pommier, Rex pisze:
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Radoslaw Skorupka
Sent: Friday, April 2, 2021 5:48 AM
To: [email protected]
Subject: [External] Re: No file permissions or super user authority for
executing a shell script
W dniu 01.04.2021 o 22:01, Robert Hahne pisze:
Greetings ,
Is there a way a user can be allowed to execute a unix shell script in batch
without changing the file permission bits or granting SUPERUSER authority ?
Currently the file has got 700 and the user is not the owner of the
file . Any suggestions would be great
Short answer: NO.
Longer answer: No. :-) Even superuser cannot execute script which is not marked
as x (executable). Of course superuser can change it using chmod command.
However this is a script - some text file. Even regular user can run it
- assuming he have r right he can copy the script to other file and chmod the
file to x. Of course it doesn't mean the user will have intended authorities
and sometimes script have relative paths in the code, so it won't work
correctly without modifications.
In your case the user has 0 (---) authorities - than means zero. Nothing.
Fine print: the above is NOT TRUE :-)
We don't know all the true, because we don't know the path and authorities. 700
is enough to delete the file assuming the user has WRITE to the directory. He
can't read it, he can't execute it, he can't write it, bu he can delete it. It
is more than nothing.
--
Radoslaw Skorupka
(looking for new job)
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
I'm asking this from a "I don't know" standpoint because I've never used them. Doesn't
RACF have extended ACLs that could possibly come into play here? As in using RACF to grant read or
execute authority to the script? If so, how would that be shown? I would assume that the
"normal" Unix security would remain at 700 but the extended ACL would allow the access
and show up elsewhere?
Rex,
You are perfectly right, my long answer should be longer. ACL can be
used here. In fact user-group-other paradigm was enhanced to use named
users or groups and access lists similarly to DATASET profiles. However
IMHO it is rarely used. How to recognize "hidden ACL" existence? ls -l
file and you will see something like rwx -w- r-x + the + sing is the
clue. Command getfacl should display details.
Note: existence of ACL is not enough. FSSEC class must be also active.
BTW: in case of ACL the information "700" is ambiguous. I can be
understood as "rwx------ with no +" or just like "we don't know what
about ACL". Or just "ACL? Oh, I forgot...". ;-)
--
Radoslaw Skorupka
(looking for new job)
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
