Problems with SUID

Question

I have a simple command that I want to be able to perform as a user, but it requires root permissions. I suspect that this is a case for the "SUID"-bit, but I've never used it.

This is what I've tried:

aioobe@e6510:~/bin$ sudo -s
root@e6510:~/bin# cat -> spindown_baydrive
#!/bin/bash
/sbin/hdparm -Y /dev/sdb
root@e6510:~/bin# chmod +x spindown_baydrive 
root@e6510:~/bin# chmod ug+s spindown_baydrive 
root@e6510:~/bin# exit
aioobe@e6510:~/bin$ ./spindown_baydrive 
/dev/sdb: Permission denied
aioobe@e6510:~/bin$


aioobe@e6510:~/bin$ ls -la spindown_baydrive 
-rwsr-sr-x 1 root root 37 2011-01-31 09:59 spindown_baydrive

Any suggestions?

user9517 · Accepted Answer · 2011-01-31T10:25:11.113

7

This is exactly the kind of thing that sudo was designed for. use visudo to edit the sudoers to allow the non privileged user to run your script as root.

visudo

add a line like this

aioobe ALL=NOPASSWD: /path/to/spindown_baydrive

and save the file

now you can run the file as root using the command

sudo /path/to/spindown_baydrive

If you want to require a password to be entered to run the script then change the sudoers line above to

aioobe ALL= /path/to/spindown_baydrive

edited Jan 31 '11 at 10:25

answered Jan 31 '11 at 09:22

user9517

114,104
20
206
289

excellent, thanks a lot. I don't understand your last remark thou... *"If you want to require a password to be entered to run the script..."* If I wanted a password, I wouldn't have to do anything, just `sudo scriptname`, right? – aioobe Jan 31 '11 at 09:37
The last command would ask aioobe to enter their password before they could run the script. It helps to ensure that only aiobee can run the command as root. – user9517 Jan 31 '11 at 09:41
Exactly what I needed. Couldn't figure out why SUID wasn't working with my scripts. Made root owner of file, but allowed admin ability to use sudo on this file without entering a password. Works like a charm in my cronjobs. Thanks a lot. – Safado Sep 22 '11 at 21:33
I take that back, it doesn't work in my cronjobs, but it works from the command line! – Safado Sep 22 '11 at 22:17

score 4 · Answer 2 · edited Apr 13 '17 at 12:14

4

You can let the user run the script as root via sudo by configuring it in /etc/sudoers, without forcing the user to enter his password (see the NOPASSWD option).

To suid bash scripts, read more here: (Ubuntu) setuid bash doesn't work

edited Apr 13 '17 at 12:14

Community

1

answered Jan 31 '11 at 09:03

3molo

4,340
5
30
46

score 1 · Answer 3 · answered Jan 31 '11 at 10:17

-rwsr-sr-x 1 root root 37 2011-01-31 09:59 spindown_baydrive

At 37 bytes, I'm guessing this is a shell script. When running as setuid, the shell starts new processes as the original uid. If you google for 'shell script setuid' you'll see lots of explanations why it doesn't work - and lots of ways to resolve the problem, obvious ones are using sudo or writing a wrapper program in C.

Problems with SUID

3 Answers3