👤
Home Man
Search
Today's Posts
Register

Post questions about C, C++, Java, SQL, and other programming languages here.

Running a script as root in the script

👤 Login to reply

 
Thread Tools Search this Thread
# 8  
Old 11-16-2017
i just want the user to run this simple script that i made to create an ftp user account with a home directpry and i thought a normal user cannot add directorys and make a user chmod chown etc etc -

Code:
#!/bin/bash

dir=/mnt/sftp
group=sftp_users

    echo "Enter UserName:"
    read user

    if id $user ; then
        echo "$user already exists as you can see above, please re-run the script"
        exit
        else
        echo "$user not in system, ok to continue"
    fi

    echo "Enter Password:"
    read passwd
    echo "$user:$passwd" >> /ftp_details/accounts.csv
    echo "is this a normal user (press 1) ?"
    read choice
    
    case $choice in
        1)
            useradd -g $group -d $dir/$user -s /sbin/nologin $user
            mkdir -p $dir/$user/data
            chown root $dir/$user
            chmod 755 $dir/$user
            chown $user $dir/$user/data
            chmod 755 $dir/$user/data
            touch $dir/$user/data/WARNING_everything_in_here_will_get_removed_in_14_days_time.txt
            ;;
        *)
            echo "invalid selection, please re-run the script"
            exit
            ;;
    esac

    echo $user:$passwd | chpasswd

The Following User Says Thank You to robertkwild For This Useful Post:
rbatte1 (11-16-2017)
# 9  
Old 11-16-2017
Well I can see that you have thought about what you want to achieve. Whilst we could organise to grant access to the specific powerful commands, the problem would then be that they could run them anytime, so i think you probably have it about right to only run the whole script as root. I presume you plan to expand it from a single choice later.

I notice that you don't have an audit trail in here to say who did what and when, just in case it goes wrong or needs to be shown. Whilst within the script if started as root through sudo, you can get the calling user as $SUDO_USER so you can write that in your message.



I hope that this helps, but I think have everything you need. Does it make sense or have I/we left you confused?



Robin
# 10  
Old 11-16-2017
Hi Robin yes im confused, what do you mean sudo_user

do you mean for every command i have in my script put sudo infront of it

then i thought instead of putting sudo infront of every command just make the user type su and job done ie from there it will run all the commands as root
# 11  
Old 11-16-2017
Quote:
Originally Posted by robertkwild
Hi Robin yes im confused, what do you mean sudo_user

do you mean for every command i have in my script put sudo infront of it

then i thought instead of putting sudo infront of every command just make the user type su and job done ie from there it will run all the commands as root
I thought I explained this in post #4 in this thread when I said:
Quote:
Nothing in your script after invoking su will be run with root privileges. The su utility, if given a proper password, will start a shell and nothing in the rest of your script will be run until that shell exits.
Once a user types the root password in response to invoking the command su (without operands), they can then type any commands into the shell that su starts for them and it will run those commands with all of the privileges of someone who logged in as root. When they exit that super-user shell, your script will then continue running with the same privileges as the user who invoked that utility had when they invoked your script. No commands in your script after the shell started by su exits will run with root privileges unless it was root who invoked your script to being with.

The here-document trick I also showed you in that post can be used to feed commands into that super-user shell. The text in that here-document is just read and executed by the shell that su starts; it is not that su is running commands in your script.

The logical easy way to do this (if a user who is going to run your script knows the root password and wants to run your script with root privileges) is for them to run su and then while in the shell that su starts have them run your script and do whatever else they need to do as root before exiting that super-user shell.
# 12  
Old 11-17-2017
Gluing everything in this thread together, we have (my insertions in green):-
Code:
#!/bin/bash

if [ $(id -u) -ne 0 ]
then
   exec sudo $0 "$@"             # Will overwrite this process so script does not continue as self
fi                               # Any arguments are passed on as supplied

# A superuser will carry on through here

LOGFILE=/var/lib/creation.log    # .... or whatever suits you

dir=/mnt/sftp
group=sftp_users	

echo "Enter UserName:"
read user

if id $user ; then
        echo "$user already exists as you can see above, please re-run the script"
        exit
else
        echo "$user not in system, ok to continue"
fi

echo "Enter Password:"
read passwd
echo "$user:$passwd" >> /ftp_details/accounts.csv
echo "is this a normal user (press 1) ?"
read choice
    
case $choice in
        1)
            echo "$(date) : User $SUDO_USER creating $user" >> $LOGFILE
            useradd -g $group -d $dir/$user -s /sbin/nologin $user
            mkdir -p $dir/$user/data
            chown root $dir/$user
            chmod 755 $dir/$user
            chown $user $dir/$user/data
            chmod 755 $dir/$user/data
            touch $dir/$user/data/WARNING_everything_in_here_will_get_removed_in_14_days_time.txt
            ;;
        *)
            echo "invalid selection, please re-run the script"
            exit
            ;;
esac

echo $user:$passwd | chpasswd

You would then need to add a rule using visudo to allow your selected user(s)/group(s) to run this script. You will need to be a super-user to run visudo
Add the lines like these:-
Code:
#Individual users
robert1			ALL = NOPASSWD: /path/to/this_script
trusted1		ALL = PASSWD: /path/to/this_script

#Group members are trusted
%trustedgroup		ALL = PASSWD: /path/to/this_script

The account robert1 will just pass into the script, but trusted1 and members of the group trustedgroup will have to enter their own password to continue. This means they don't need to know the all-powerful account password. If they do, then there is no way to control them.

Using sudo means that you can grant them privileges they need for just when they are doing what you want and nothing more, i.e. you trust them to run this script, but not to become the super-user because they might remove /etc/passwd by mistake.


How far does this get you now?


Am I just more confusing? Apologies if I am.
Robin
👤 Login to reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Root running a script calling to scp using user "xyz" is not authenticating! denissi Shell Programming and Scripting 0 10-21-2014 07:02 PM
Running a script as root but with different users inside nanz143 Shell Programming and Scripting 18 06-09-2014 07:04 AM
Script will keep checking running status of another script and also restart called script at night ketanraut Shell Programming and Scripting 1 11-20-2013 09:41 AM
Script for running root based C++ code nrjrasaxena Shell Programming and Scripting 12 09-24-2012 11:54 AM
Need to run a bash script that logs on as a non-root user and runs script as root damang111 Shell Programming and Scripting 2 12-23-2011 10:53 PM
Issue running script as root cj09 Shell Programming and Scripting 4 05-24-2011 09:37 PM
Running script through SSH as root irinotecan Security 4 03-30-2009 05:57 PM
As root , running script as different user with su - problem dbsupp Shell Programming and Scripting 4 12-18-2008 12:28 AM
Running a command or script as root rm-r Shell Programming and Scripting 3 05-27-2005 08:58 AM
Run non-root script as root with non-root environment bubba112557 UNIX for Dummies Questions & Answers 2 12-02-2004 11:39 PM


All times are GMT -4. The time now is 11:02 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password





Not a Forum Member?
Forgot Password?