SUSHC Overview

The "sushc" program enables you to run a shell-script as a different one to the current one you are logged in as in a secure manner. For example, imagine you are running a script as follows as the user "transfer"...

#!/bin/bash
#
# Shell script run as transfer
#

read NEW_PASSWORD
...
...
sushc oracle /home/oracle/tpwsql.sh "$NEW_PASSWORD"
...
...

Then - in a script with a file name of "/home/oracle/tpwsql.sh" owned by the the user "oracle"...

#!/bin/bash
#
# Shell script called by transfer to run as ORACLE dba
#
# To grant permission on "transfer" to run this using sushc:
#
# sushc -grant  transfer
# sushc -end
#
# Now to run something like this:

export PASSWORD="$1"        # Read parameter
. oraenv TRANSFER           # Set up ORACLE environment

#
# Prevent SQL injection
#
PASSWORD=`echo $PASSWORD | tr -d ";()'\"![:cntrl:]"`

sqlplus /nolog <<!
connect / as sysdba
spool /home/oracle/log/sqlscripts.log
alter user transfer identified by $PASSWORD;
spool off
!

The "sushc -grant transfer" line enables the user "transfer" to run this (as "oracle"), even in a comment like the above. Both this line and the "sushc -end" line are explained in detail in The Manual.

SourceForge.net Logo