Re: [External] Re: No file permissions or super user authority for executing a shell script
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: Saturday, April 3, 2021 8:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: No file permissions or super user authority for executing a shell script On Fri, 2 Apr 2021 13:26:07 +, Pommier, Rex wrote: > >I'm asking this from a "I don't know" standpoint because I've never used them. > Doesn't RACF have extended ACLs that could possibly come into play here? As >in using RACF to grant read or execute authority to the script? If so, how >would that be shown? I would assume that the "normal" Unix security would >remain at 700 but the extended ACL would allow the access and show up >elsewhere? > But allowing access in that fashion seems to violate POSIX: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_05 4.5 File Access Permissions ... Implementations may provide additional or alternate file access control mechanisms, or both. An additional access control mechanism shall only further restrict the access permissions defined by the file permission bits. ... -- gil Hi Gil, Thanks for that bit of information. As I stated, I've never used ACLs but what you're saying makes sense. Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [External] Re: No file permissions or super user authority for executing a shell script
On Fri, 2 Apr 2021 13:26:07 +, Pommier, Rex wrote: > >I'm asking this from a "I don't know" standpoint because I've never used them. > Doesn't RACF have extended ACLs that could possibly come into play here? As >in using RACF to grant read or execute authority to the script? If so, how >would that be shown? I would assume that the "normal" Unix security would >remain at 700 but the extended ACL would allow the access and show up >elsewhere? > But allowing access in that fashion seems to violate POSIX: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_05 4.5 File Access Permissions ... Implementations may provide additional or alternate file access control mechanisms, or both. An additional access control mechanism shall only further restrict the access permissions defined by the file permission bits. ... -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [External] Re: No file permissions or super user authority for executing a shell script
W dniu 02.04.2021 o 15:26, Pommier, Rex pisze: -Original Message- From: IBM Mainframe Discussion List On Behalf Of Radoslaw Skorupka Sent: Friday, April 2, 2021 5:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: No file permissions or super user authority for executing a shell script W dniu 01.04.2021 o 22:01, Robert Hahne pisze: Greetings , Is there a way a user can be allowed to execute a unix shell script in batch without changing the file permission bits or granting SUPERUSER authority ? Currently the file has got 700 and the user is not the owner of the file . Any suggestions would be great Short answer: NO. Longer answer: No. :-) Even superuser cannot execute script which is not marked as x (executable). Of course superuser can change it using chmod command. However this is a script - some text file. Even regular user can run it - assuming he have r right he can copy the script to other file and chmod the file to x. Of course it doesn't mean the user will have intended authorities and sometimes script have relative paths in the code, so it won't work correctly without modifications. In your case the user has 0 (---) authorities - than means zero. Nothing. Fine print: the above is NOT TRUE :-) We don't know all the true, because we don't know the path and authorities. 700 is enough to delete the file assuming the user has WRITE to the directory. He can't read it, he can't execute it, he can't write it, bu he can delete it. It is more than nothing. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN I'm asking this from a "I don't know" standpoint because I've never used them. Doesn't RACF have extended ACLs that could possibly come into play here? As in using RACF to grant read or execute authority to the script? If so, how would that be shown? I would assume that the "normal" Unix security would remain at 700 but the extended ACL would allow the access and show up elsewhere? Rex, You are perfectly right, my long answer should be longer. ACL can be used here. In fact user-group-other paradigm was enhanced to use named users or groups and access lists similarly to DATASET profiles. However IMHO it is rarely used. How to recognize "hidden ACL" existence? ls -l file and you will see something like rwx -w- r-x + the + sing is the clue. Command getfacl should display details. Note: existence of ACL is not enough. FSSEC class must be also active. BTW: in case of ACL the information "700" is ambiguous. I can be understood as "rwx-- with no +" or just like "we don't know what about ACL". Or just "ACL? Oh, I forgot...". ;-) -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [External] Re: No file permissions or super user authority for executing a shell script
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Radoslaw Skorupka Sent: Friday, April 2, 2021 5:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: No file permissions or super user authority for executing a shell script W dniu 01.04.2021 o 22:01, Robert Hahne pisze: > Greetings , > > Is there a way a user can be allowed to execute a unix shell script in batch > without changing the file permission bits or granting SUPERUSER authority ? > > Currently the file has got 700 and the user is not the owner of the > file . Any suggestions would be great > > Short answer: NO. Longer answer: No. :-) Even superuser cannot execute script which is not marked as x (executable). Of course superuser can change it using chmod command. However this is a script - some text file. Even regular user can run it - assuming he have r right he can copy the script to other file and chmod the file to x. Of course it doesn't mean the user will have intended authorities and sometimes script have relative paths in the code, so it won't work correctly without modifications. In your case the user has 0 (---) authorities - than means zero. Nothing. Fine print: the above is NOT TRUE :-) We don't know all the true, because we don't know the path and authorities. 700 is enough to delete the file assuming the user has WRITE to the directory. He can't read it, he can't execute it, he can't write it, bu he can delete it. It is more than nothing. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN I'm asking this from a "I don't know" standpoint because I've never used them. Doesn't RACF have extended ACLs that could possibly come into play here? As in using RACF to grant read or execute authority to the script? If so, how would that be shown? I would assume that the "normal" Unix security would remain at 700 but the extended ACL would allow the access and show up elsewhere? Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: No file permissions or super user authority for executing a shell script
W dniu 01.04.2021 o 22:01, Robert Hahne pisze: Greetings , Is there a way a user can be allowed to execute a unix shell script in batch without changing the file permission bits or granting SUPERUSER authority ? Currently the file has got 700 and the user is not the owner of the file . Any suggestions would be great Short answer: NO. Longer answer: No. :-) Even superuser cannot execute script which is not marked as x (executable). Of course superuser can change it using chmod command. However this is a script - some text file. Even regular user can run it - assuming he have r right he can copy the script to other file and chmod the file to x. Of course it doesn't mean the user will have intended authorities and sometimes script have relative paths in the code, so it won't work correctly without modifications. In your case the user has 0 (---) authorities - than means zero. Nothing. Fine print: the above is NOT TRUE :-) We don't know all the true, because we don't know the path and authorities. 700 is enough to delete the file assuming the user has WRITE to the directory. He can't read it, he can't execute it, he can't write it, bu he can delete it. It is more than nothing. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: No file permissions or super user authority for executing a shell script
The simple answer is NO. Lou -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Thu, Apr 1, 2021 at 3:01 PM Robert Hahne wrote: > Greetings , > > Is there a way a user can be allowed to execute a unix shell script in > batch without changing the file permission bits or granting SUPERUSER > authority ? > > Currently the file has got 700 and the user is not the owner of the file . > Any suggestions would be great > > Regards, > Robert Hahne > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
No file permissions or super user authority for executing a shell script
Greetings , Is there a way a user can be allowed to execute a unix shell script in batch without changing the file permission bits or granting SUPERUSER authority ? Currently the file has got 700 and the user is not the owner of the file . Any suggestions would be great Regards, Robert Hahne -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN