27
13
How to make a script execute as root, no matter who executes it?
I read about setuid but I'm not sure how to do this.
I'm using Linux, Ubuntu 12.04 LTS.
27
13
How to make a script execute as root, no matter who executes it?
I read about setuid but I'm not sure how to do this.
I'm using Linux, Ubuntu 12.04 LTS.
30
Be really careful: scripts combined with setuid are dangerous!
First, please have a look on this question/answers, especially on this answer and security warning.
If you still want to execute your script with setuid
set, then you can write a short C program as wrapper and set the setuid
bit on the compiled binary.
Wrapper example:
int main(void) {
setuid(0);
clearenv();
system("/absolute/path/to/your/script.sh");
}
Another solution using sudo
(mentioned here):
As root, prevent write (and maybe other) access to your script:
chown root /absolute/path/to/your/script.sh chmod 700 /absolute/path/to/your/script.sh
Verify that noone except root can replace the script, e.g. by modifying the access rights of the parent folder:
chown root /absolute/path/to/your/ chmod 755 /absolute/path/to/your/
Modify sudo access rights in /etc/sudoers
with visudo
:
ALL ALL = (root) NOPASSWD: /absolute/path/to/your/script.sh
More details about the settings (e.g. restricting access to specific users or groups) can be found in the sudoers manpage.
Afterwards, all users can run the script as root without password:
sudo /absolute/path/to/your/script.sh
This is similar to using the wrapper/setuid solution above.
3The specific dangers aren't very obvious, but they revolve heavily around the environment. Unlike most programs, a shell script's behavior can be changed significantly by dozens of environment variables, enough so that without extensive safeguards, such a script can easily be tricked into executing arbitrary code. – Stephanie – 2012-06-22T21:20:30.233
1
You should add a call to clearenv() before the system call in that wrapper, completely blowing away the environment so that no evil settings are around to manipulate the script. http://www.kernel.org/doc/man-pages/online/pages/man3/clearenv.3.html
– Stephanie – 2012-06-22T21:27:30.270@Stephanie I must be doing something wrong, because all this looks too crazy for a common task. This is what I'm trying to do: http://serverfault.com/questions/401405/how-to-activate-iptables-after-connecting-to-vpn
– HappyDeveloper – 2012-06-22T21:29:00.750@HappyDeveloper Not too crazy for a setuid script, since a poorly secured one is a path to root for anyone that manages to run it. – Stephanie – 2012-06-22T21:32:25.693
4sudo
can be used to give all users access to a particular program (or script). In that sense, it acts as a fancy setuid wrapper. It seems like that would typically be a better choice than writing your own setuid wrapper. – jjlin – 2012-06-22T21:52:33.117
I used the first solution (setuid), because I need it to be executed automatically after logging in, without asking for a password. And I don't like removing the password from sudo. Also, I might need that the script be executed by non sudoers – HappyDeveloper – 2012-06-22T23:38:49.160
@HappyDeveloper You are just removing the sudo password when used with that specific script. Other commands are not affected. Also, you can specify ALL as user alias to allow all users access to run the script. I modified my answer accordingly. – speakr – 2012-06-23T10:25:57.267
4
Easiest and safest way is to use SETUID bits in file permissions. that way command permissions will be elevated to file owner permissions.
to prevent script from edition do not set write for everyone bits.
0
I don't know if this may be useful but, to make the script only run as root, you could use this shebang on the first line of the script:
#!/bin/su root
Which Linux distribution are you on? Or Unix, even? – slhck – 2012-06-22T19:40:59.743
@slhck Linux, Ubuntu 12 – HappyDeveloper – 2012-06-22T19:41:30.137
3
setuid
won't work on scripts — it's disabled for security reasons on most *nix distributions these days. You can set it, but it'll be ignored. Maybe you can explain more about your actual problem so we can help you solve this instead? What script is it? Why do you need it to be executed as root? Is usingsudo
an alternative? – slhck – 2012-06-22T19:45:16.010Have you tried
sudo -s
? – Nam Phung – 2012-06-22T20:05:44.440