Sidebar: The Sticky Bit and Sybaccess

Seeing the Sybase root user password typed at the command-line can be cause for concern, and having the password sit in a configuration file isn't much better because anyone who needs to execute Sybaccess will need to be able to read that configuration file. That means unauthorized users could possibly read it.

You could set the sticky bit if Sybaccess were an executable; in other words, the user would have permission to execute the program, without having the permissions to read the configuration file from the command line. Unfortunately, setting the sticky bit on a shell script is meaningless on most flavors of UNIX, so a small C program must be used to call Sybaccess. The following program is called runsybaccess:

/* program to call sybaccess */
#include <stdio.h>

main()
{
system("./sybaccess");
}

After you compile and set the sticky bit on runsybacess, the permissions are:

-r-s--s---   1 root  other   runsybaccess
-r--------   1 root  other   config

Now, users can execute runsybaccess without being able to read the config file. One unfortunate side effect is giving the user root permissions if he/she shells out. If you insist on setting the sticky bit, follow these guidelines:

1) In the Sybaccess code, replace the utilities that allow users to shell out. These are the vi editor and pager utility, pg.

2) Set up a secure user other than root and make it the owner of runsybaccess and config file.