Can I make a script always execute as root?

Be really careful: scripts combined with setuid are dangerous!

First, please have a look on this question/answers, especially on this answer and security warning.

If you still want to execute your script with setuid set, then you can write a short C program as wrapper and set the setuid bit on the compiled binary.

Wrapper example:

int main(void) {        
    setuid(0);
    clearenv();
    system("/absolute/path/to/your/script.sh");
}

Another solution using sudo (mentioned here):

As root, prevent write (and maybe other) access to your script:

chown root /absolute/path/to/your/script.sh
chmod 700 /absolute/path/to/your/script.sh

Verify that noone except root can replace the script, e.g. by modifying the access rights of the parent folder:
```
chown root /absolute/path/to/your/
chmod 755 /absolute/path/to/your/
```
Modify sudo access rights in /etc/sudoers with visudo:
```
ALL    ALL = (root) NOPASSWD: /absolute/path/to/your/script.sh
```
More details about the settings (e.g. restricting access to specific users or groups) can be found in the sudoers manpage.

Afterwards, all users can run the script as root without password:

sudo /absolute/path/to/your/script.sh

This is similar to using the wrapper/setuid solution above.

speakr

Posted 2012-06-22T19:29:00.323

Reputation: 3 379

3The specific dangers aren't very obvious, but they revolve heavily around the environment. Unlike most programs, a shell script's behavior can be changed significantly by dozens of environment variables, enough so that without extensive safeguards, such a script can easily be tricked into executing arbitrary code. – Stephanie – 2012-06-22T21:20:30.233

You should add a call to clearenv() before the system call in that wrapper, completely blowing away the environment so that no evil settings are around to manipulate the script. http://www.kernel.org/doc/man-pages/online/pages/man3/clearenv.3.html

– Stephanie – 2012-06-22T21:27:30.270

@Stephanie I must be doing something wrong, because all this looks too crazy for a common task. This is what I'm trying to do: http://serverfault.com/questions/401405/how-to-activate-iptables-after-connecting-to-vpn

– HappyDeveloper – 2012-06-22T21:29:00.750

@HappyDeveloper Not too crazy for a setuid script, since a poorly secured one is a path to root for anyone that manages to run it. – Stephanie – 2012-06-22T21:32:25.693

4sudo can be used to give all users access to a particular program (or script). In that sense, it acts as a fancy setuid wrapper. It seems like that would typically be a better choice than writing your own setuid wrapper. – jjlin – 2012-06-22T21:52:33.117

I used the first solution (setuid), because I need it to be executed automatically after logging in, without asking for a password. And I don't like removing the password from sudo. Also, I might need that the script be executed by non sudoers – HappyDeveloper – 2012-06-22T23:38:49.160

@HappyDeveloper You are just removing the sudo password when used with that specific script. Other commands are not affected. Also, you can specify ALL as user alias to allow all users access to run the script. I modified my answer accordingly. – speakr – 2012-06-23T10:25:57.267

Which Linux distribution are you on? Or Unix, even? – slhck – 2012-06-22T19:40:59.743

@slhck Linux, Ubuntu 12 – HappyDeveloper – 2012-06-22T19:41:30.137

3setuid won't work on scripts — it's disabled for security reasons on most *nix distributions these days. You can set it, but it'll be ignored. Maybe you can explain more about your actual problem so we can help you solve this instead? What script is it? Why do you need it to be executed as root? Is using sudo an alternative? – slhck – 2012-06-22T19:45:16.010

Have you tried sudo -s? – Nam Phung – 2012-06-22T20:05:44.440

Can I make a script always execute as root?

Answers