# permission execute only



## dumbdumb (Apr 3, 2010)

Hi all,

How to set permission to a file in /bin so users can't view (using pico), execute only.
I've tried this :

chmod 711 filename

so it become :
-rwx--x--x   1 root  wheel     570 Jan 28 15:45 filename

yes the users can't view (using pico) the file but also can't execute from their /home/user directory, it said :
/bin/filename: Permission denied.

So i don't want users to view, edit, etc, but only run it from their directory.

Anyone can help me?
Thank you


----------



## SirDice (Apr 3, 2010)

Why? They can't edit anyway as they have no write access. What's wrong with them having read access?


----------



## dumbdumb (Apr 4, 2010)

Well it's a script file and it just wrong for me if they can read the file.


----------



## aragon (Apr 4, 2010)

dumbdumb said:
			
		

> Well it's a script file and it just wrong for me if they can read the file.


If you have to hide the functionality of software then there's something you're doing wrong...


----------



## dumbdumb (Apr 4, 2010)

Ok so chmod won't work in my case, thanks anyway


----------



## SirDice (Apr 4, 2010)

dumbdumb said:
			
		

> Well it's a script file and it just wrong for me if they can read the file.



Security through obscurity never works.


----------



## mix_room (Apr 4, 2010)

And how would you be able to execute a file that you cannot read? If your user does not have to rights to read the file, they cannot find out which commands to execute.


----------



## dumbdumb (Apr 5, 2010)

So,
chmod 711 or -rwx--x--x attribute is useless?
Do you guys have any idea regarding my case instead of asking my lack knowledge of this? 

Thank you


----------



## fronclynne (Apr 5, 2010)

Hmm, I agree philosophically with dumbdumb, but I'm not going to argue.

You can use security/sudo & change the owner to a user that has no login.  sudo should be fine grained enough to permit someone to execute it (with normal user privileges) while not permitting someone to actually see the file.


----------



## sixtydoses (Apr 5, 2010)

You could try using misc/shc to encode your script. It won't guarantee that your executable script will be 'safe', but yea, it fits your need.

The usage is easy too, just run `shc -f <your_executable_script>`, and it will convert it into a binary form. And with that, `-rwx--x--x` means something.

Example with a file that will just echo 'something':

```
[od@meh ~]$ ls -l
total 2
-rwxr-xr-x  1 od  od  28 Apr  5 15:01 abc
[od@meh ~]$ ./abc  
something
[od@meh ~]$ shc -f abc
[od@meh ~]$ ls -l
total 24
-rwxr-xr-x  1 od  od     28 Apr  5 15:01 abc
-rwx--x--x  1 od  od  12184 Apr  5 15:01 abc.x
-rw-r--r--  1 od  od   9420 Apr  5 15:01 abc.x.c
[od@meh ~]$ ./abc.x
something
```

abc.x is the 'encoded' script that you'd be using. Unreadable, executable.


----------



## dumbdumb (Apr 5, 2010)

thank you fronclynne & sixtydoses for the information, i think shc will suit my needs, thanksss


----------



## chrcol (Apr 6, 2010)

SirDice said:
			
		

> Security through obscurity never works.



people say that but it fools automated tools.

whats more accurate is you shouldnt rely on obscurity only.


----------



## fronclynne (Apr 7, 2010)

*Not that I even know what Polonium 210 is . . .*



			
				chrcol said:
			
		

> people say that but it fools automated tools.
> 
> whats more accurate is you shouldnt rely on obscurity only.



Agreed.  Back when I had port 22 open to the universe those bots would use up 50% of my bandwidth and some 30% CPU hammering at my sshd.  The simple expedient of changing my banner to the same string that debian's ftp server sends dropped the number of attempts by 90%.  Again, moving sshd up to 6800 or so, while conforming to the "security through obscurity" model dropped the attacks from several thousand a day to zero.

It had exactly nothing to do with whether my server was secure or not (even with thousands a day, nothing ever got in), and everything to do with not paying for other people to clog up my internet link with their useless sshd bots.  A truly proactive admin would have tracked down the bots by IP and quietly assassinated the netblock owners, but I have better things to do with my time than travel to Russia every other weekend, trying to smuggle Polonium across international borders.  Not that I would use Polonium (in most cases).


----------

