0

I have to write a script on ubuntu and some commands require root privileges. The script is full of normal linux commands. Is it possible to write a switch user(su) script that automates the password prompt without needing user intervention?. Need help...

I forgot to tell you that I'm asked to disable sudo access to all users and I did that. Alternate option?

Thank you!

user53864
  • 1,723
  • 11
  • 37
  • 66

6 Answers6

1

you should use sudo. In the file /etc/sudoers you can configure the commands which should be run with root privileges and whether a password is needed or not.

Christian
  • 4,703
  • 2
  • 24
  • 27
1

Have a look at sudo. With this you can run specific commands with root privileges with or without the requirement to give a password.

It should already be installed on your Ubuntu system

EDIT

Sudo has been designed to do exactly what you want in a secure, controlled and auditable manner. The safest thing to do is to allow users to run the script via sudo. This doesn't then allow users access to the individual commands.

Discussion with the policy maker's should ensue.

Edit 2

You have to grant a user permission to run a particular shell via sudo before they can successfully run sudo -s. Just giving a user permission to run your script does not grant permission to run sudo -s.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • I forgot to tell you that I'm asked to disable sudo access to all users and I did that. Alternate option? – user53864 Sep 17 '10 at 11:15
1

Try 'bash -p', if -p not given then bash will keep the original uid/gid even if suid.

3molo
  • 4,330
  • 5
  • 32
  • 46
  • But I do agree, you probably should not solve it this way ;). – 3molo Sep 17 '10 at 11:31
  • you mean to say just type 'bash -p'? and this way I didn't see any output and it is not changed to root user. – user53864 Sep 17 '10 at 11:46
  • Sorry I misunderstood the question. If you were to create a suid bash, the bash -p would work. but like someone mentioned earlier, you cannot suid shell scripts – 3molo Sep 18 '10 at 08:24
1

As you said, you are unable to use sudo, you may think the other way around. Are you able to run the script as root and su to an user with lesser permission for the parts which do not need to be run as root?

As already said, sudo is exactly what you need and the best solution (you know, that you can limit sudo access for each command separate?)

krissi
  • 3,387
  • 1
  • 19
  • 22
0

The approach you describe would require that anyone who could run the script would be able to read the script - and hence the root password.

I'm asked to disable sudo access to all users

! you've been asked to disable the sub-system which has been specifically designed by some very smart people to provide limited root access to designated users and now you need to provide root access to designated users with your own home grown solution (and have proposed a very bad way of solving the problem).

You could set the sticky bit on the file permissions - but it'd take a very long time to go into the implications of doing that - and it seems that neither you nor the person who asked you to disable sudo really understand the Unix permissions model.

Why not just lose the pretence and give the users the root password?

symcbean
  • 21,009
  • 1
  • 31
  • 52
  • The main reason to disable sudo is to tighten the security as any one can use the command "sudo -s" and gain acces to root by entering his own password. – user53864 Sep 17 '10 at 12:25
  • @user53864: You can selectively enable commands and their options using settings in `/etc/sudoers` (use `visudo` to edit). – Dennis Williamson Sep 17 '10 at 12:53
-1

Do your own wrapper:

/* mywrapper.c */
#include <unistd.h>

extern char **environ;

main() {
    environ=NULL; /* clear environment variables for sanity */
    setuid(0);
    return execl("/usr/local/bin/script.sh", "script.sh", NULL);
}

Then gcc -o mywrapper mywrapper.c ; chown root mywrapper; chmod u+s mywrapper and you're ready to go.

LatinSuD
  • 901
  • 1
  • 8
  • 17
  • That's a workaround for the shell resuming normal privileges when running a setuid script - not a solution to the OPs problem – symcbean Sep 18 '10 at 09:35