The issue is that the script is not what is running, but the interpreter (
python, etc.). And the interpreter needs to read the script. This is different from a “regular” program, like
ls, in that the program is loaded directly into the kernel, as the interpreter would. Since the kernel itself is reading program file, it doesn’t need to worry about read access. The interpreter needs to read the script file, as a normal file would need to be read.
This is possible only for binaries.
$ chown foo:foo bar $ chmod 701 bar
As the unprivileged user:
$ ls -lha bar -rwx-----x 1 foo foo 7.0K 2012-03-15 03:06 bar $ cat bar cat: bar: Permission denied $ ./bar baz
Now, here is the kicker. While the file is unreadable by conventional means, you can’t actually prevent reading the file. This is actually a challenge on http://smashthestack.org/ (level 13). There is a well known utility called
hktrace that allows you to read the file using
There’s a half truth to the previous statements. You can setup a script so that it’s not readable by the user, but still executable. The process is a little drawn out, but it’s doable by making an exception in /etc/sudoer so that the user can run the script as yourself temporarily without being prompted for a password. This method:
– gets around the setuid patch for other distros.
– allows you to give elevated permissions temporarily for a specific script without giving the user sudo rights to everything.
Follow the instruction on this post:
File permission execute only