creating shell script that executes as root regardless of who runs the script?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
creating shell script that executes as root regardless of who runs the script?
I have created a little shell script that goes through a specified directory and changes permissions on a few files. The script works perfect when I am logged in as root and run the script from command line.
What I want to do, is make a website, with a button to click that says "reset permissions" and the button will then execute (via PHP) the shell script I made. Getting the webpage to do that is no problem, but there is a problem with the script actually working because apache runs as apache, not as root. And apache isnt able to change permissions on files it doesnt own.
Does that make sense?
Is there a way to make a script that apache can execute that would be able to change permissions on files? Normally only the owner/root would be able to do this... but I need apache to be able to do it. I dont want to change what GID or UID apache runs as because I dont want to end up with big gapping security holes.
If you need any clarifcation, let me know! Thanks.
I don't think this will work exactly. The kernel ignores the setuid bit on shell scripts because it opens up a host of security concerns. Try it yourself with the following script:
Code:
#!/bin/sh
echo I am PID $$ executing as user $UID
On all systems I'm familiar with, it prints out my own UID and does not have root priviliges, regardless of whether or not the SEUID bit is set.
There are a number of serious security issues with SetUID shell scripts so the Linux kernel simply does not honor the SetUID bit on shell scripts, only binary files. There's a good article I found on this here.
I think editing /etc/sudoers is the way to go. I give my example here. I want my user to be able to run /sbin/rmmod and /sbin/insmod to be able to load and unload usb-storage module. This is what I did to my /etc/sudoers file:
# User privilege specification
root ALL=(ALL) ALL
user ALL=NOPASSWD: /sbin/rmmod usb-storage,/sbin/insmod usb-storage
What would my sudoers file need to look like? Would I need to give apache sudo access to the "access.sh" script and then remove the sudo commands from the script, or would I need to give apache access to chown and chmod and leave sudo in the script on each line?
Something about giving apache access to chmod and chown seems a little scary....
What I am trying to acomplish is, sometimes permissions/owners get messed up on files that have been uploaded or modified by users. So I am I trying to make a webpage with a little drop down menu where they can select their site from the list, and hit "reset permissions" and it will change everything back to what it should be. Make sense?
You bring up another good point... this little shell script I have made wouldnt even be needed if the permissions/ownership didnt change all the time.
Whats happening is, I will set all permissions and ownership to what it should be. Then one of my web designers ( we'll call them designer1) uploads a new index.html file with some changes he or she made. Now all of the sudden designer1 is the owner of the file. Now lets say designer2 comes along and wants to make a change to index.html, they cant because designer1 is now the owner of the file. Neither designer1 or designer2 should be the owner of the file, it should always stay as the username associated with the virtual host, which is what I set it to.
Whats happening is, whenever a file is modified or over written (uploaded with scp) then the ownership changes.
You could use a cron script (runs every minute or hour) to recursively chown and chmod. This way you have no manual pulldown work or PHP to Shell script task.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.