LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 09-05-2005, 02:35 PM   #1
zugvogel
LQ Newbie
 
Registered: Sep 2005
Location: Tokyo, Japan
Distribution: Mac, Ubuntu, Debian and Centos
Posts: 28

Rep: Reputation: 16
How to run a script as root upon login


Hello. I have a basic ssh server, and I want to make it run a script to send me an email whenever anyone logs in, so I can keep an eye on what's happening (it won't have a high frequency of logins).

In order to do this I wrote a small script which is called from /etc/profiles which sends an email using "nail". Unfortunatly to do this, nail needs the smpt password, so I don't want the script to be visible to a non-root user.

I tried setting the script as -rwx--x--x, but it seems you can't just have 'execute' since this always gives "permission denied". I tried calling it from an intermediate script, and giving the intermediate script the s-permission like so: -rwsr-sr-x

but it doesn't give the user temporary root access rights - probably because it doesn't see the script as a whole program, rather as individual commands, so looses the s-root permission straight away.

Does anyone know how I can get this to work? I'm out of ideas.

Many thanks.
 
Old 09-05-2005, 03:07 PM   #2
Maestro485
Member
 
Registered: Apr 2004
Location: Pittsburgh
Distribution: Slackware
Posts: 136

Rep: Reputation: 16
I'm not really sure what you could do about that. It may be easier to simply check the logs every now and then. Also, there are utilities out there to automate the process of checking logs, so it may be easier to go that route instead of worrying about the script.

Sorry I can't be of more help.

Matt
 
Old 09-05-2005, 03:21 PM   #3
PTrenholme
Senior Member
 
Registered: Dec 2004
Location: Olympia, WA, USA
Distribution: Fedora, (K)Ubuntu
Posts: 4,154

Rep: Reputation: 333Reputation: 333Reputation: 333Reputation: 333
Why use mail? Wouldn't it be easier just to look at the logs?

Opps: Sorry -- I didn't read Maestro485's reply before posting.

Last edited by PTrenholme; 09-05-2005 at 03:23 PM.
 
Old 09-05-2005, 05:00 PM   #4
iggep
Member
 
Registered: Sep 2005
Location: Virginia Beach, VA
Posts: 48

Rep: Reputation: 15
did you try sudo? You can limit root access to specific things with sudo. User logs in, your script is executed with sudo.. or am I misunderstanding?
 
Old 09-05-2005, 06:46 PM   #5
Maestro485
Member
 
Registered: Apr 2004
Location: Pittsburgh
Distribution: Slackware
Posts: 136

Rep: Reputation: 16
Interesting point. You could create a dummy user with sudo access only to the script which may limit any security concerns. However, I'm not very experienced with sudo since I don't use it much myself, so I cannot vouch for how secure this solution is. Maybe someone else can help?

Matt
 
Old 09-06-2005, 08:05 AM   #6
zugvogel
LQ Newbie
 
Registered: Sep 2005
Location: Tokyo, Japan
Distribution: Mac, Ubuntu, Debian and Centos
Posts: 28

Original Poster
Rep: Reputation: 16
Thank you all very much for your responses. With your help I have managed to figure it out - the answer is as follows:

I added the 'james' line to my /etc/sudoers file to read:

Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
james   ALL = NOPASSWD: /etc/newlogin.csh
where newlogin.csh is the send-mail script. Sure enough, this allows james to run the program, but a "sudo more /etc/newlogin.csh" doesn't allow it to be read. I can add this for each user.

Many thanks for your help!
 
Old 09-09-2005, 11:54 AM   #7
bbeers
Member
 
Registered: Jul 2002
Location: Florida
Distribution: Centos, Slackware
Posts: 260

Rep: Reputation: 30
Did you put "james" into any special group, or just users?

I ask because I'm contemplating a similar thing, but I want my
"james" to be able to execute as few things as possible,
preferably _only_ my special script. I though maybe he should
be in group "nobody" or "nogroup". He'll still be able to
execute bash builtins, but I'd like to restrict him as much as possible.

Any ideas?

Thanks,
-bbeers
 
Old 09-09-2005, 12:10 PM   #8
zugvogel
LQ Newbie
 
Registered: Sep 2005
Location: Tokyo, Japan
Distribution: Mac, Ubuntu, Debian and Centos
Posts: 28

Original Poster
Rep: Reputation: 16
Hi bbeers,

My "james" is just in the standard users group, and he is only able to sudo my special /etc/newlogin.csh script - he can't even view what's inside the script.

What happens when you want to allow the user to sudo 2 or more different commands, I don't know (maybe they're separated by spaces or commas or something - I couldn't figure that out (if you figure it out, let me know)).

I also found http://www.courtesan.com/sudo/sample.sudoers useful - it can get quite complicated, what you can do with this command.

Hope that helps!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to run a Script as root, after Login as User, in GDM MHOOO Red Hat 14 03-08-2005 09:41 AM
Why not run always login as root? KaptinKABOOM Linux - General 8 07-18-2004 08:23 AM
run a script once at login? masand Linux - Software 4 05-02-2004 10:41 AM
Run script at login instead of bash uzi4u Linux - General 2 04-28-2004 03:31 PM
run a script once at login? shanenin Linux - Software 2 04-25-2004 11:32 AM


All times are GMT -5. The time now is 10:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration