Urza9814 Posted August 3, 2006 Report Share Posted August 3, 2006 Is there any way to make a script run a command as root without having to type in the password when it runs? I know, this is a huge security risk, but...I'm aware of it and it's only gonna be temorary and stuff. Anyways, I just need some way to either have the password in the script or have the script run as root when run by another user so that I don't have to manually type in the password when it runs. [moved from Software by spinynorman] Quote Link to comment Share on other sites More sharing options...
jboy Posted August 3, 2006 Report Share Posted August 3, 2006 (edited) EDIT: Original post deleted. I thought I had a technique for this but after further checking, it doesn't work. I'll try to see about another way to do this later tonight when I have more time. Edited August 3, 2006 by jboy Quote Link to comment Share on other sites More sharing options...
ffi Posted August 3, 2006 Report Share Posted August 3, 2006 Is there any way to make a script run a command as root without having to type in the password when it runs?I know, this is a huge security risk, but...I'm aware of it and it's only gonna be temorary and stuff. Anyways, I just need some way to either have the password in the script or have the script run as root when run by another user so that I don't have to manually type in the password when it runs. I dont know how to do it, but did you look at the mountiso script (look at most downloaded apps in kde-apps) which does it by setting up a sudo account... Quote Link to comment Share on other sites More sharing options...
Urza9814 Posted August 3, 2006 Author Report Share Posted August 3, 2006 Haven't looked at the mountiso script yet, but sudo won't work either, I was considering it, but it still requires the user password to be entered. Quote Link to comment Share on other sites More sharing options...
ffi Posted August 3, 2006 Report Share Posted August 3, 2006 I think you have to enter it only once if you choose sudo (if you choose kdesu you have re-enter everytime) Quote Link to comment Share on other sites More sharing options...
Urza9814 Posted August 3, 2006 Author Report Share Posted August 3, 2006 yea, still won't work though. Maybe it'd help if I told you what I'm trying to do... I'm trying to create a PHP script that, through the system(); command, will run a script in my user home directory. But in order to do that, the user has to be either me or root. So, I figure I can either find a way to run it from the PHP script as another user, or have the PHP script run another script which will run it as the user. Problem is, there's no way to type in the password there. So I need it to be included in the script. It's only gonna be temporary, and I'm probably gonna throw some kinda password on it, so security isn't really a concern for me. Quote Link to comment Share on other sites More sharing options...
neddie Posted August 3, 2006 Report Share Posted August 3, 2006 Can't you just make the script executable for everyone? Move it out of your home directory and make it executable for everyone? Quote Link to comment Share on other sites More sharing options...
tyme Posted August 3, 2006 Report Share Posted August 3, 2006 but if he wants it run as root, making it executable by everyone doesn't help. if it's running it from a php script that means it's going to inherit the umask of the php script which is usually apache, or maybe nobody. Quote Link to comment Share on other sites More sharing options...
jboy Posted August 4, 2006 Report Share Posted August 4, 2006 (edited) I believe the following should work: if the script needs to be run by any user with root privileges without having the users authenticate by entering a password, add the following to /etc/sudoers (you'll need to be the root user to edit /etc/sudoers, of course): ALL ALL=NOPASSWD: /fullpathname/scriptname Substitute your actual path and script filename for: /fullname/scriptname If you determine that the script will be run by a specific user only, say apache, then you could use this instead: apache ALL=NOPASSWD: /fullpathname/scriptname If it needs to be run by a limited number of users, but not all, then read the sections titled EXAMPLES in this reference: http://www.die.net/doc/linux/man/man5/sudoers.5.html The command that then needs to be run by the users is: sudo /fullpathname/scriptname I withhold any comment as to the security advisability of this. EDIT: oh, one other VERY important thing - make SURE the script is not writable by any user who can execute it. Edited August 4, 2006 by jboy Quote Link to comment Share on other sites More sharing options...
Urza9814 Posted August 4, 2006 Author Report Share Posted August 4, 2006 (edited) I added: ALL ALL=NOPASSWD: /home/urza9814/shtest.sh I get the following error: [urza9814@Arochone ~]$ sudo sh /home/urza9814/shtest.sh Sorry, user urza9814 is not allowed to execute '/bin/sh /home/urza9814/shtest.sh' as root on Arochone. edit: aight...the problem is I have to add /bin/sh to that list to run the script as root....which probably isn't good, because it seems that that would allow any script to be run....but...I'm sure I'll figure something out. Edited August 4, 2006 by Urza9814 Quote Link to comment Share on other sites More sharing options...
neddie Posted August 4, 2006 Report Share Posted August 4, 2006 If you run $ sudo sh /home/urza9814/shtest.sh then the executable you're running is bin/sh, which every user has access to anyway. Then you're passing the name of your file in your home directory as a parameter to the shell. I'm guessing that other users don't have read access to files in your home, so I guess that's unlikely to work. If instead you run $ sudo /home/urza9814/shtest.sh then the executable you're running is your script, so the sudo to allow other users to execute it will have effect. You may have to add the line #! /bin/bash to the first line of your script to allow you to execute it in this way (and make the file executable of course). However. I still don't see why you want to be root or use sudo to run this script. Maybe you only think you need to be root because currently only your user and root have read access to files in your home directory. Maybe in order for the script to work it doesn't need any special privileges at all. Try copying the shtest.sh file out of your home directory, into /opt/somewhere or /usr/local/somewhere. Then make it executable for everyone, and test running it directly both as your user and as a different user. If that works then it should be runnable as the apache user, without using sudo. Quote Link to comment Share on other sites More sharing options...
uralmasha Posted August 4, 2006 Report Share Posted August 4, 2006 (edited) I believe, if you put #! /bin/sh at the beginning of your /home/urza9814/shtest.sh script, and make it executable with chmod a+x /home/urza9814/shtest.sh you can run it as-is, without having to type "/bin/sh" in front of it. If that doesn't work, make a wrapping executable say "myshtest" which contains "/bin/sh /home/urza9814/shtest.sh'", and put only "myshtest" in the sudo line. Having /bin/sh among passwordless sudo looks like a very bad idea. Edit: Neddie, you are faster:) Edited August 4, 2006 by uralmasha Quote Link to comment Share on other sites More sharing options...
pmpatrick Posted August 4, 2006 Report Share Posted August 4, 2006 Here's a pretty easy way that should accomplish what you originally wanted. First change the owner of the script file to root: # chown root <script name> Then change the permission on the script file to suid with execute permissions for all users: # chmod 4755 <script name> Under normal circumstances, a process like a script will launch with the permissions of the user that launched the script, regardless of the actual owner of the script, assuming the user has execute permission on the script. With suid, the script will launch with the permissions of the owner of the script, here root, regardless of which user actually launched the script. SUID is considered dangerous and insecure and should be used with caution. Here, you will give all users execute permissions on the script but when they launch that script it will run with root powers, i.e. the permissions of the owner. Sudo does pretty much the same thing but gives you much finer grade control over who can launch the script with root privileges. Quote Link to comment Share on other sites More sharing options...
jboy Posted August 4, 2006 Report Share Posted August 4, 2006 (edited) Here's a pretty easy way that should accomplish what you originally wanted. First change the owner of the script file to root: # chown root <script name> Then change the permission on the script file to suid with execute permissions for all users: # chmod 4755 <script name> At one time setuid for scripts used to work, but apparently at some point this feature was dropped in Linux due to security issues. This was the first thing I tried, but found that it didn't work in Mandriva 2006. Doing some research on the web, I found lots of references to setuid no longer working in Linux for scripts due to security. Setuid still works for binaries, though, so that's definitely an option for executing binaries with root permissions. Could it be related to the Mandriva security level for the system? Possibly, I'm not sure, but I doubt it. Mine is set to either Standard or High, I don't remember offhand and I'm not in Linux right now. But setuid for scripts definitely did not work for me. If setuid is working on your system for scripts, please comment which distro you're using, version, security levels, etc. Edited August 4, 2006 by jboy Quote Link to comment Share on other sites More sharing options...
Steve Scrimpshire Posted August 6, 2006 Report Share Posted August 6, 2006 As far as I know, by default, php runs as user nobody. Seriously, it is a bad idea to allow php to run shell scripts on your computer unless it is only accessible to your home network and not outside. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.