current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 0 down vote favorite

I've been searching google on how to add additional security to a specific command without using sudo.

Is it possible to add on a security feature without actually using sudo?

For example:

Whenever I use the xxd command. There is a need for an additional input in order for the command to run or it won't work at all.

What I was doing is that I used xxd command in order to convert a string into garbage hex. So it is basically revertible into the original string. Now, what I am trying to accomplish is that no one must be able to use the xxd -r, except to only few people who know the password in order to run it, so that the hex values won't be reverted to the original string.

share|improve this question
    
Does "additional input" have to equate to elevated privileges (ie., a valid password in /etc/passwd), and if so, whose? –  jasonwryan 2 days ago
    
Not really /etc/passwd. Everyone can use it, the only thing different is you have to input something like if the password to run it is 123456 then I have to type xxd -r 123456 or I can add a new sub-command like xxd -r -p 123456 Is that possible? –  user2851287 2 days ago
2  
Please edit that in to your question. Please also state what it is that you are actually trying to achieve, this currently reads like an X-Y problem... –  jasonwryan 2 days ago
    
Okay, I edited it. Sorry for the blurry question. –  user2851287 2 days ago
5  
What if users bring their own xxd instead of using the system's password-protected one ? What if they just use xxd on their own computer to convert the values to the original string ? If you want to keep something secret use cryptography, not some trivial obfuscation. –  André Daniel 2 days ago

3 Answers 3

up vote 3 down vote

To achive what you want I can propose the following:

  1. Create a user for each program. In your example suppose you create a user uxxd (group uxxd).
  2. Give it the password you want (form your example 123456)
  3. Give the execution rights on this program only to user uxxd: chown uxxd:uxxd xxd chmod 700 xxd
  4. For better security you could also remove the login shell from the user uxxd (depending on you system you can replace it with /bin/nologin for example)

Now to launch your program you need:

su uxxd -c xxd

If this program is supposed to create files for user who started it, the user probably should be in the group uxxd. This depends on the default umask on your system and can be changed.

share|improve this answer
up vote 0 down vote

Sorry for the late reply.

I used other command and not xxd since it cannot support a password.

I used openssl command in which I can put a password everytime I encrypt a password:

openssl enc -aes-128-cbc -a -salt -pass pass:test123

Now, if I need to decrypt it. I need to use:

openssl enc -aes-128-cbc -a -d -salt -pass pass:test123

Thanks for the help everyone.

share|improve this answer
up vote -2 down vote

This isn't so secure

you could add this to /etc/profile

xxd()
{
if [ $1 = "123456" ]; then
xxd ${@:2}
else
echo "sorry command not available"
fi
}

/usr/bin/xxd()
{
if [ $1 = "123456" ]; then
xxd ${@:2}
else
echo "sorry command not available"
fi
}

you'd run the command as xxd 123456 -r ...

you'd have to restrict read access to the binary though so it can't be copied.

any user could also read /etc/profile and see the password, you could possibly put these in a script xxdcmd.sh with no read access, and have it run somehow.

Anyhow i think a good solution would be what was suggested about having a user/group, but i thought it would be interesting to find other methods.

Cheers!

PS: this would be a good solution to what you're ultimately trying to achieve

gpg -c <filename>
gpg -d <filename.gpg>
share|improve this answer
    
This is horrible! Don't suggest such a thing, someone might listen! –  Lohoris 2 days ago
    
i had mentioned it wasn't secure. –  eric 2 days ago
    
Then don't post it. Doesn't matter you put a disclaimer: this is a silly technique, and nobody should attempt it for any reason. –  Lohoris 2 days ago
    
You need to relax. It's only for the heck of it, and i explained everything, i didn't put a tiny foot note or something. BTW, are you seriously butchering me over this, and if so do you really think anybody would even tell him to go through with what he's asking for any real security? I thought it was obvious this was just for learning purposes. Again, relax. –  eric 2 days ago
    
@eric This already fails if someone tries \xxd. Also for learning purposes I think this is not a proper demonstration of using functions. –  Bernhard yesterday

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.