Unix/Linux Go Back    


Programming Post questions about C, C++, Java, SQL, and other programming languages here.

Running a script as root in the script

Programming


Closed    
 
Thread Tools Search this Thread Display Modes
    #8  
Old Unix and Linux 11-16-2017   -   Original Discussion by robertkwild
robertkwild's Unix or Linux Image
robertkwild robertkwild is offline
Registered User
 
Join Date: Apr 2016
Last Activity: 13 April 2018, 4:02 AM EDT
Posts: 84
Thanks: 9
Thanked 9 Times in 7 Posts
i just want the user to run this simple script that i made to create an ftp user account with a home directpry and i thought a normal user cannot add directorys and make a user chmod chown etc etc -



Code:
#!/bin/bash

dir=/mnt/sftp
group=sftp_users

    echo "Enter UserName:"
    read user

    if id $user ; then
        echo "$user already exists as you can see above, please re-run the script"
        exit
        else
        echo "$user not in system, ok to continue"
    fi

    echo "Enter Password:"
    read passwd
    echo "$user:$passwd" >> /ftp_details/accounts.csv
    echo "is this a normal user (press 1) ?"
    read choice
    
    case $choice in
        1)
            useradd -g $group -d $dir/$user -s /sbin/nologin $user
            mkdir -p $dir/$user/data
            chown root $dir/$user
            chmod 755 $dir/$user
            chown $user $dir/$user/data
            chmod 755 $dir/$user/data
            touch $dir/$user/data/WARNING_everything_in_here_will_get_removed_in_14_days_time.txt
            ;;
        *)
            echo "invalid selection, please re-run the script"
            exit
            ;;
    esac

    echo $user:$passwd | chpasswd

The Following User Says Thank You to robertkwild For This Useful Post:
rbatte1 (11-16-2017)
Sponsored Links
    #9  
Old Unix and Linux 11-16-2017   -   Original Discussion by robertkwild
rbatte1's Unix or Linux Image
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 23 May 2018, 7:40 AM EDT
Location: Lancashire, UK
Posts: 3,535
Thanks: 1,557
Thanked 692 Times in 622 Posts
Well I can see that you have thought about what you want to achieve. Whilst we could organise to grant access to the specific powerful commands, the problem would then be that they could run them anytime, so i think you probably have it about right to only run the whole script as root. I presume you plan to expand it from a single choice later.

I notice that you don't have an audit trail in here to say who did what and when, just in case it goes wrong or needs to be shown. Whilst within the script if started as root through sudo, you can get the calling user as $SUDO_USER so you can write that in your message.



I hope that this helps, but I think have everything you need. Does it make sense or have I/we left you confused?



Robin
Sponsored Links
    #10  
Old Unix and Linux 11-16-2017   -   Original Discussion by robertkwild
robertkwild's Unix or Linux Image
robertkwild robertkwild is offline
Registered User
 
Join Date: Apr 2016
Last Activity: 13 April 2018, 4:02 AM EDT
Posts: 84
Thanks: 9
Thanked 9 Times in 7 Posts
Hi Robin yes im confused, what do you mean sudo_user

do you mean for every command i have in my script put sudo infront of it

then i thought instead of putting sudo infront of every command just make the user type su and job done ie from there it will run all the commands as root
    #11  
Old Unix and Linux 11-16-2017   -   Original Discussion by robertkwild
Don Cragun's Unix or Linux Image
Don Cragun Don Cragun is online now Forum Staff  
Administrator
 
Join Date: Jul 2012
Last Activity: 23 May 2018, 2:19 PM EDT
Location: San Jose, CA, USA
Posts: 11,305
Thanks: 635
Thanked 3,932 Times in 3,365 Posts
Quote:
Originally Posted by robertkwild View Post
Hi Robin yes im confused, what do you mean sudo_user

do you mean for every command i have in my script put sudo infront of it

then i thought instead of putting sudo infront of every command just make the user type su and job done ie from there it will run all the commands as root
I thought I explained this in post #4 in this thread when I said:
Quote:
Nothing in your script after invoking su will be run with root privileges. The su utility, if given a proper password, will start a shell and nothing in the rest of your script will be run until that shell exits.
Once a user types the root password in response to invoking the command su (without operands), they can then type any commands into the shell that su starts for them and it will run those commands with all of the privileges of someone who logged in as root. When they exit that super-user shell, your script will then continue running with the same privileges as the user who invoked that utility had when they invoked your script. No commands in your script after the shell started by su exits will run with root privileges unless it was root who invoked your script to being with.

The here-document trick I also showed you in that post can be used to feed commands into that super-user shell. The text in that here-document is just read and executed by the shell that su starts; it is not that su is running commands in your script.

The logical easy way to do this (if a user who is going to run your script knows the root password and wants to run your script with root privileges) is for them to run su and then while in the shell that su starts have them run your script and do whatever else they need to do as root before exiting that super-user shell.
Sponsored Links
    #12  
Old Unix and Linux 11-17-2017   -   Original Discussion by robertkwild
rbatte1's Unix or Linux Image
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 23 May 2018, 7:40 AM EDT
Location: Lancashire, UK
Posts: 3,535
Thanks: 1,557
Thanked 692 Times in 622 Posts
Gluing everything in this thread together, we have (my insertions in green):-

Code:
#!/bin/bash

if [ $(id -u) -ne 0 ]
then
   exec sudo $0 "$@"             # Will overwrite this process so script does not continue as self
fi                               # Any arguments are passed on as supplied

# A superuser will carry on through here

LOGFILE=/var/lib/creation.log    # .... or whatever suits you

dir=/mnt/sftp
group=sftp_users	

echo "Enter UserName:"
read user

if id $user ; then
        echo "$user already exists as you can see above, please re-run the script"
        exit
else
        echo "$user not in system, ok to continue"
fi

echo "Enter Password:"
read passwd
echo "$user:$passwd" >> /ftp_details/accounts.csv
echo "is this a normal user (press 1) ?"
read choice
    
case $choice in
        1)
            echo "$(date) : User $SUDO_USER creating $user" >> $LOGFILE
            useradd -g $group -d $dir/$user -s /sbin/nologin $user
            mkdir -p $dir/$user/data
            chown root $dir/$user
            chmod 755 $dir/$user
            chown $user $dir/$user/data
            chmod 755 $dir/$user/data
            touch $dir/$user/data/WARNING_everything_in_here_will_get_removed_in_14_days_time.txt
            ;;
        *)
            echo "invalid selection, please re-run the script"
            exit
            ;;
esac

echo $user:$passwd | chpasswd

You would then need to add a rule using visudo to allow your selected user(s)/group(s) to run this script. You will need to be a super-user to run visudo
Add the lines like these:-

Code:
#Individual users
robert1			ALL = NOPASSWD: /path/to/this_script
trusted1		ALL = PASSWD: /path/to/this_script

#Group members are trusted
%trustedgroup		ALL = PASSWD: /path/to/this_script

The account robert1 will just pass into the script, but trusted1 and members of the group trustedgroup will have to enter their own password to continue. This means they don't need to know the all-powerful account password. If they do, then there is no way to control them.

Using sudo means that you can grant them privileges they need for just when they are doing what you want and nothing more, i.e. you trust them to run this script, but not to become the super-user because they might remove /etc/passwd by mistake.


How far does this get you now?


Am I just more confusing? Apologies if I am.
Robin
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Running a script as root but with different users inside nanz143 Shell Programming and Scripting 18 06-09-2014 07:04 AM
Issue running script as root cj09 Shell Programming and Scripting 4 05-24-2011 09:37 PM
Running script through SSH as root irinotecan Security 4 03-30-2009 05:57 PM
As root , running script as different user with su - problem dbsupp Shell Programming and Scripting 4 12-18-2008 12:28 AM
Running a command or script as root rm-r Shell Programming and Scripting 3 05-27-2005 08:58 AM



All times are GMT -4. The time now is 02:28 PM.