1

I would like to create a bash script that I will run inside an administrator account. I want the script to backup the existing hosts file to the same directory with the file extension .original and then I want the script to add 3 pre-defined entries (specified within the scripts body) into the hosts file and maintain the existing formatting of the hosts file. How can I accomplish this without the user having to authenticate - I want the administrators password to be stored in the script and passed to sudo every time it requests escalation. Thank you.

sardean
  • 171
  • 1
  • 8

3 Answers3

1

You shouldn't store the password in the script. That is a security vulnerability. You can achieve the behaviour you want without storing the password anywhere by using the setuid bit.

First run chmod u+s myscript to make it run as owner (when you make the owner root, this will make your script run as root, so you won't need to use sudo at all within your script).

Then make sure that anyone you want can execute the script. If you want all users to be able to then run chmod +x myscript. If you want only yourself to be able to make sure you are the only user in the group and use chmod g+x myscript instead.

Then run sudo chown root myscript to make it owned by root.

Now any time that anyone with permissions to execute that script runs it it will be executed as root, whether that user is an administrator or not.

Paul
  • 139,544
  • 27
  • 275
  • 264
  • Will this work if I want to store the script on a USB thumb drive and bring it from machine to machine running it directly from the thumb drive. – sardean May 05 '12 at 18:24
  • @DeanA.Vassallo No it won't work in that situation. If Unix and/or OSX let you do that it would be a huge security vulnerability. You could take full control of anyone's operating system with a 10 character script stored on a thumb drive. – Paul May 05 '12 at 18:30
  • Yeah, that's what I was thinking. This is such a one off situation. I will probably just create the modified version of the hosts file, store it on the thumb drive and go machine to machine and just use cp to create the copy and then cp again to move the file from the thumb drive into /etc – sardean May 05 '12 at 18:36
  • 1
    I'm not sure about OS X, but some Unix-like OSs won't allow you to setuid a script (more precisely, you can set the bit, but it won't do anything). See [this](http://unix.stackexchange.com/a/2910/382). – Dennis Williamson May 05 '12 at 21:58
1

You have to write a program (compiled code) and suid root to perform that, then you do not have to reveal the root password to the users. I have yet to encounter a system that allows you to suid scripts. Or you have to suid bash itself which is the actual program, then everyone can be root.

example: (run as root)

ex qq.c << EOF
1,\$d
i
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <assert.h>
int main() {
    assert(0 == setreuid(geteuid(),-1));
    return system(
    "/bin/bash << DONE\n"
    "if [ \"\$UID\" != '0' ];then echo \"need to be root to do this\";exit 16;fi;\n"
    "cp /etc/hosts /etc/hosts.org\n"
    "echo 127.0.0.1 banned1.domain >> /etc/hosts\n"
    "echo 127.0.0.1 banned2.domain >> /etc/hosts\n"
    "echo 127.0.0.1 banned3.domain >> /etc/hosts\n"
    "DONE\n");
}
.
x
EOF
gcc -o qq qq.c && chmod u+s qq
pizza
  • 7,296
  • 1
  • 25
  • 22
0

You can do this via the sudo command. The sudo command allows you to specify which users can run which commands and what users. Normally, you give users access to particular commands that they need to be root to execute. For example, a particular person needs to be able to start and stop Apache httpd. Normally, only root is allowed to do this, but you can grant this permission to your web administrator without giving that person permission to do anything else as root.

The sudo command is controlled by the /private/etc/sudoers file. (Which you should edit with the visudo command).

Let's say you create a shell script to edit your /etc/hosts file. You'd first want to put it in a particular location, say /usr/local/edit_hosts_file. This is a good location since the directory is owned by root.

Now, you want to make sure that only root can execute this file, and maybe only root can even read this file, and you especially want to make sure only root can edit this file. Otherwise, people could use this file to give themselves root access to other parts of your system:

 $ sudo chown root:root /usr/share/edit_hosts_file
 $ sudo chmod 700 /usr/share/edit_hosts_file

Now, that your command is secure, you can edit the /private/etc/sudoers file to allow only particular users to run this shell script as root:

User_Alias ALLOWED_USERS = bob, carol, ted, alice
Cmnd_Alias ETC_HOSTS_EDIT = /usr/share/bin/edit_hosts_file
Host_Alias MACHINE_LIST = localhost
ALLOWED_USERS    MACHINE_LIST=(ALL) NOPASSWD: ETC_HOSTS_EDIT

This would allow any user in the defined ALLOWED user list to run your etc/hosts edit script, without requiring a password.

Now, if someone wants to run your script, they can do it as root without knowing the password and without having to give the password. This way, your script could be executed by another script:

 $ sudo /usr/share/bin/edit_hosts_file
 Script completed: /etc/hosts edited
David W.
  • 105,218
  • 39
  • 216
  • 337