LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-04-2009, 04:58 AM   #1
an_sush
Member
 
Registered: Nov 2008
Posts: 46

Rep: Reputation: 15
Run command as root inside script


Hi All,
I am running a shell script using a non root user. Somewhere down in the script, I'll have to call some script to be executed as su (or a user with more privileges than the one running the original script). So if i put a line in the script as:
Code:
su - root -c /root/roleScripts/assignRoles.sh
Then when running the command, it will prompt me for root password(because the current user has lower privileges than the user requested. Suppose I want to pass this password as an argument to the original script, so that it doesn't prompt me for password later on, what is the way? Can I switch user passing the password and run a command? If so, please help me with sample code.
Thanks,
An
 
Old 09-04-2009, 05:01 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
I would go another approach and use sudo to execute the script. For this you would need an entry in the /etc/sudoers file and allow the user running the initial script to run the higher script without entering a password.
 
Old 09-04-2009, 05:07 AM   #3
an_sush
Member
 
Registered: Nov 2008
Posts: 46

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by zhjim View Post
I would go another approach and use sudo to execute the script. For this you would need an entry in the /etc/sudoers file and allow the user running the initial script to run the higher script without entering a password.
Thanks for that info but the problem is i m running the initial script programmatically and thus cant modify system files
 
Old 09-04-2009, 05:13 AM   #4
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
Quote:
Originally Posted by an_sush View Post
Thanks for that info but the problem is i m running the initial script programmatically and thus cant modify system files
I am not sure you got the point of sudo. You configure sudo system-wide, before running the script, to allow a given command for a given user (or the user as a whole) to use root privileges.

There's no easy way to pass a password to su programatically because su will gently refuse to use the info comming from stdin, unless stdin is attached to an interactive tty:

Code:
$ su -c 'echo foo' << EOF
> myrootpassword
> EOF
su: must be run from a terminal
Besides that, putting a root password inside a plain-text file that everyone can read is just plain wrong.
 
Old 09-04-2009, 05:13 AM   #5
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Something like this goes in /etc/sudoers (using visudo for error checking)...

Code:
username  ALL=(ALL) NOPASSWD: /root/roleScripts/assignRoles.sh
Be very careful with your coding in assignRoles.sh.. Don't ever trust user input or make sure you sanatize it before you use it.

If you have to process output data from other commands to generate parameters for assignRoles.sh to work with, dont write those outputs to disk unless you've set very restrictive permissions on the working file/directory beforehand (so it can't be compromised).

If possible when doing this use pipes to variables (for example) so the data never touches the file system.
 
Old 09-04-2009, 05:28 AM   #6
an_sush
Member
 
Registered: Nov 2008
Posts: 46

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by i92guboj View Post
I am not sure you got the point of sudo. You configure sudo system-wide, before running the script, to allow a given command for a given user (or the user as a whole) to use root privileges.
Sir, I want a code which i can run on any system by just passing the root password as an argument..So as you got it, I cant touch the client/final system to make any adjustment. Watever I have control on is this script file
 
Old 09-04-2009, 05:34 AM   #7
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
If you've got the root password to pass on the commandline, you can make any change on that system you want.

Passing the root command via the commandline is insecure. You're asking for serious trouble if you continue down this path.

As stated previously, (learn how to) use sudo to run this script with root priviledges and protect your root account password.
 
Old 09-04-2009, 05:48 AM   #8
an_sush
Member
 
Registered: Nov 2008
Posts: 46

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Admiral Beotch View Post
If you've got the root password to pass on the commandline, you can make any change on that system you want.
May b i didnt make myself clear here. I have this script as part of deliverable and its delivered to any client system. The client can execute this main script with any non root user and a file will b present in all client locations at /root/roleScripts/assignRoles.sh. This file will b called from the main script and will be executed as root user. So my main script will b taking the root password and executing it. I will learn sudo command if i feel its important in this scenario. I don't think i can take this approach as i will have to first write a command to edit /etc/sudoers(which again needs su) and then execute my main script.
I hope i made myself clear with the situation i m in
 
Old 09-04-2009, 06:08 AM   #9
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
Well, you can't expect your script to work without user interaction if you need to run it as a non-privileged user on different machines with different root passwords... If it was that easy to crack and scale root privileges from a script the nasa would be scared of bash script kiddies.
 
Old 09-04-2009, 06:11 AM   #10
an_sush
Member
 
Registered: Nov 2008
Posts: 46

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by i92guboj View Post
...If it was that easy to crack and scale root privileges from a script the nasa would be scared of bash script kiddies.
Hmmm...got it thanks...but how will this make bash script more secure? I mean if you can please explain the above line..what will be potential threats if we could run scripts with password?
 
Old 09-04-2009, 06:16 AM   #11
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Smile

Submit to the Sudo Authoritah!

Take heart in this... if assignRoles.sh is being called as root on those other client systems, prefixing the script call with the sudo command wont break anything... root can, by default, call sudo <command> without supplying a password or any additional configuration.
 
Old 09-04-2009, 06:20 AM   #12
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Shortly put is that you need to store the root password somewhere. And this somewhere needs to be readable by all users who execute your script. This concludes to everybody knowing the root password and if just beein a bit nasty wrack your machine or put pictures of say her grandmothers birthdaycake on your website

So to not have the root password ly around on the filesystem there is sudo to jump in.

Special for your case I'd say if you just give out the script to be used on machine you don't have controll over why not write a install script that adds the line to sudoers? Okay one would need root privs to install but...


Cheers Zhjim
 
Old 09-04-2009, 06:41 AM   #13
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
In other words, what would stop anyone picking that script from edit it and do whatever they want with the root passwords instead what you want it to do? How about adding an rm -rf / in the middle?

Sudo is the only secure way to do this. Either that, or just instruct your users to run the script this way:

Code:
su -c './yourscript'
This way they supply the password at the beginning, so there's really no difference with supplying it as a command line option as you wanted on first place, and all the script will run with root privileges. You could as well investigate chmod +s (SUID), it might work or help for your purpose.
 
Old 09-04-2009, 06:48 AM   #14
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Quote:
Originally Posted by i92guboj View Post
You could as well investigate chmod +s (SUID), it might work or help for your purpose.
Good call. I completely forgot about this in my sudo fanaticism. But again, if doing it this way, the OP should be *VERY* careful in how the script handles error conditions, user input, and working data as unexpected circumstances could create unforeseen vulnerabilities.
 
Old 09-04-2009, 06:55 AM   #15
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
The user should *always* be careful with acting as root, even more when it's in an automated manner (ie. a script).

The problem with SUID is the same than with using "su -c script" or "sudo script": the scope is not limited to a single command, but to the entire script. This is *very* dangerous, overall when the user has write permissions over the script. As said before, no one stops the user from modifying the script and nuking the *the whole* OS with a single run of a crappy script.

On the contrary, when you use su or sudo inside the script for a single command, the scope of the threat is limited to that command. If the whole script is su'ed, there are thousands of things that could go wrong. If it's a single line, then it's much easier to avoid doing something silly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
usage of history command inside shell script bsaheb Linux - Newbie 4 01-05-2010 09:55 PM
How to run a root command from script? terry-duell Fedora 2 02-16-2009 04:55 PM
Bash Script Help - Trying to create a variable inside script when run. webaccounts Linux - Newbie 1 06-09-2008 03:40 PM
run shell command inside of c code? khucinx Programming 2 05-17-2004 11:04 AM
how do I run a command from inside a c++ program? exodist Programming 1 04-06-2004 05:34 PM


All times are GMT -5. The time now is 04:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration