LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   How to run a script as root upon login (http://www.linuxquestions.org/questions/linux-newbie-8/how-to-run-a-script-as-root-upon-login-360477/)

zugvogel 09-05-2005 02:35 PM

How to run a script as root upon login
 
Hello. I have a basic ssh server, and I want to make it run a script to send me an email whenever anyone logs in, so I can keep an eye on what's happening (it won't have a high frequency of logins).

In order to do this I wrote a small script which is called from /etc/profiles which sends an email using "nail". Unfortunatly to do this, nail needs the smpt password, so I don't want the script to be visible to a non-root user.

I tried setting the script as -rwx--x--x, but it seems you can't just have 'execute' since this always gives "permission denied". I tried calling it from an intermediate script, and giving the intermediate script the s-permission like so: -rwsr-sr-x

but it doesn't give the user temporary root access rights - probably because it doesn't see the script as a whole program, rather as individual commands, so looses the s-root permission straight away.

Does anyone know how I can get this to work? I'm out of ideas.

Many thanks.

Maestro485 09-05-2005 03:07 PM

I'm not really sure what you could do about that. It may be easier to simply check the logs every now and then. Also, there are utilities out there to automate the process of checking logs, so it may be easier to go that route instead of worrying about the script.

Sorry I can't be of more help.

Matt

PTrenholme 09-05-2005 03:21 PM

Why use mail? Wouldn't it be easier just to look at the logs?

Opps: Sorry -- I didn't read Maestro485's reply before posting.

iggep 09-05-2005 05:00 PM

did you try sudo? You can limit root access to specific things with sudo. User logs in, your script is executed with sudo.. or am I misunderstanding?

Maestro485 09-05-2005 06:46 PM

Interesting point. You could create a dummy user with sudo access only to the script which may limit any security concerns. However, I'm not very experienced with sudo since I don't use it much myself, so I cannot vouch for how secure this solution is. Maybe someone else can help?

Matt

zugvogel 09-06-2005 08:05 AM

Thank you all very much for your responses. With your help I have managed to figure it out - the answer is as follows:

I added the 'james' line to my /etc/sudoers file to read:

Code:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
james  ALL = NOPASSWD: /etc/newlogin.csh

where newlogin.csh is the send-mail script. Sure enough, this allows james to run the program, but a "sudo more /etc/newlogin.csh" doesn't allow it to be read. I can add this for each user.

Many thanks for your help!

bbeers 09-09-2005 11:54 AM

Did you put "james" into any special group, or just users?

I ask because I'm contemplating a similar thing, but I want my
"james" to be able to execute as few things as possible,
preferably _only_ my special script. I though maybe he should
be in group "nobody" or "nogroup". He'll still be able to
execute bash builtins, but I'd like to restrict him as much as possible.

Any ideas?

Thanks,
-bbeers

zugvogel 09-09-2005 12:10 PM

Hi bbeers,

My "james" is just in the standard users group, and he is only able to sudo my special /etc/newlogin.csh script - he can't even view what's inside the script.

What happens when you want to allow the user to sudo 2 or more different commands, I don't know (maybe they're separated by spaces or commas or something - I couldn't figure that out (if you figure it out, let me know)).

I also found http://www.courtesan.com/sudo/sample.sudoers useful - it can get quite complicated, what you can do with this command.

Hope that helps!


All times are GMT -5. The time now is 01:01 AM.