0

I want to restrict what a user B can do on my server. More precisely, I want him to be able to run only specific command/script that user A can run (and which has to be run as user A).

How is it possible to make user B execute only this script as user A?

What I've found mentioned using sudo, which user B doesn't have access to. Can I change the permission of the script so that B can run it as A?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Guig
  • 9,891
  • 7
  • 64
  • 126
  • 1
    This isn't really a programming problem, and you'll probably be able to get a better answer to your question at https://unix.stackexchange.com. – Greg Hewgill May 16 '15 at 22:37
  • 1
    If you're the admin on this server, you can configure `sudo` to allow B to run the script as A. – that other guy May 16 '15 at 22:59
  • If you are extremely careful, you can have user A create a SUID (set user ID) program that (1) validates that it is being run by user B, exiting if it is someone else trying to run it, and (2) arranges to run the original script that does the job. You have to be extremely careful, though — it is not for the faint of heart. For example, if the script can be persuaded to launch an editor such as `vim`, then user B can get a shell with the permissions of user A, and can then do almost anything that A can do as A. The smaller the scope of what the script does, the safer this technique is. – Jonathan Leffler May 17 '15 at 15:53

1 Answers1

0

B can't run the script as user A, if B can't use sudo. But you can give B permission to run the script. For that you can simply add A as the group of B, while A has permission to run the script. That way you can make sure no other user who are not in the group A, will be able to run the script.

If you are interested about a detailed explanation, see this.

Community
  • 1
  • 1
Jahid
  • 21,542
  • 10
  • 90
  • 108