Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello. I have a basic ssh server, and I want to make it run a script to send me an email whenever anyone logs in, so I can keep an eye on what's happening (it won't have a high frequency of logins).
In order to do this I wrote a small script which is called from /etc/profiles which sends an email using "nail". Unfortunatly to do this, nail needs the smpt password, so I don't want the script to be visible to a non-root user.
I tried setting the script as -rwx--x--x, but it seems you can't just have 'execute' since this always gives "permission denied". I tried calling it from an intermediate script, and giving the intermediate script the s-permission like so: -rwsr-sr-x
but it doesn't give the user temporary root access rights - probably because it doesn't see the script as a whole program, rather as individual commands, so looses the s-root permission straight away.
Does anyone know how I can get this to work? I'm out of ideas.
I'm not really sure what you could do about that. It may be easier to simply check the logs every now and then. Also, there are utilities out there to automate the process of checking logs, so it may be easier to go that route instead of worrying about the script.
Interesting point. You could create a dummy user with sudo access only to the script which may limit any security concerns. However, I'm not very experienced with sudo since I don't use it much myself, so I cannot vouch for how secure this solution is. Maybe someone else can help?
Thank you all very much for your responses. With your help I have managed to figure it out - the answer is as follows:
I added the 'james' line to my /etc/sudoers file to read:
Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
james ALL = NOPASSWD: /etc/newlogin.csh
where newlogin.csh is the send-mail script. Sure enough, this allows james to run the program, but a "sudo more /etc/newlogin.csh" doesn't allow it to be read. I can add this for each user.
Did you put "james" into any special group, or just users?
I ask because I'm contemplating a similar thing, but I want my
"james" to be able to execute as few things as possible,
preferably _only_ my special script. I though maybe he should
be in group "nobody" or "nogroup". He'll still be able to
execute bash builtins, but I'd like to restrict him as much as possible.
My "james" is just in the standard users group, and he is only able to sudo my special /etc/newlogin.csh script - he can't even view what's inside the script.
What happens when you want to allow the user to sudo 2 or more different commands, I don't know (maybe they're separated by spaces or commas or something - I couldn't figure that out (if you figure it out, let me know)).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.