Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need to launch a bash file in Linux from an unprivileged user session, file that will run bash commands as root. But I do not want to create an user with root privileges to do that also the process must be silent (no password asked).
How can I do this without adding a user in sudoers and without giving rights to all users to execute the commands from that bash file?
I have tried SUID option witch would had been good as functionality but I understand that SUID doesn't work for script bash files.
Merci
Julia
Click here to see the post LQ members have rated as the most helpful post in this thread.
All users will be able to execute the bash_file but not run any separate commands from inside it. But any files created by that script will be owned by root.
Think what would happen if I as a non privileged user did
Code:
cd evil_directory_containing_evil_should_run_as_root.sh
/path/to/wrapper
If you must do this sort of thing, use absolute filepaths!
You also need to make sure you sanitise important environment variable right at the beginning of the script. PATH and IFS being two key ones, and be very careful about how you code the script.
You'll also need to ensure that only authorised people have execute permission on the wrapper binary.
Yet another malicious advice. nomb please don't use root privileges unless you learn the basics.
About that wrapper prog(if you're planning to use that): you will also need to ensure that shell script is owned by root and has 0700 permissions since it's being read and executed as root, no need to make it readable for everyone. And take care of permissions for the directory in which it resides so that noone can remove it and replace with own script.
If you must do this sort of thing, use absolute filepaths!
You are absolutely correct. I was just showing an example of an alternative method and didn't really quality check it as good as I should have. Actually, I just copied the code from the originating source and wouldn't recommend using it verbatim without some modifications but wanted to show the concept. But that is why I showed the source of where that was from in hopes that the OP would go read all the comments.
Quote:
Originally Posted by Web31337
Yet another malicious advice. nomb please don't use root privileges unless you learn the basics.
I think you need to re-think your apparent definition of "malicious advice". And I find it funny that you think you know how much I know.
Quote:
Originally Posted by Valery Reznic
Don't mind security implication, are you sure it will work at all ?
I think setuid(0) before system() is missing.
Yes again I was just pointing him to an example of an alternative. Meaning the site I sourced to not the code itself. This is probably my worst post ever but I was running really really late and wanted to reply before I forgot, sorry about that guys.
Anyway I was hoping the OP would goto the sourced site and read. The very first comment on that site is:
Quote:
Since the suid bit on executables only changes the effective UID (EUID) the executable will run as, and not the real UID (RUID) which getuid() returns, and in addition to the restriction on suid interpreted scripts (any executable beginning with "#!"), some shells like bash as an extra safety measure will set the EUID back to the RUID in this case, you will need to use the call setuid(0) in the C code before executing the script.
See the man pages of the setuid, seteuid, getuid, and geteuid to learn the exact semantics of the real and effective UIDs.
(WARNING) Of course, this is an appropriate point to mention that the restriction on suid scripts in many Unix systems, shells and interpreters, are there for a reason, which is that if the script is not very careful about sanitizing its input and the state of environment when it is executed, they are dangerous and can be exploited for security escalation. So be very careful when doing this. Set the access to your script and wrapper as strict as you can, only allow this very specific script which you intend to be executed, and clear the environment within your C program before starting the script, setting environment variables such as PATH to contain exactly what is necessary in the right order and no directories that are writable to others.
Quote:
Originally Posted by chrism01
I'd like to know why you think sudo would be a problem; its' exactly the sort of issue it was designed to handle...
Yea I was wondering that myself. Although in all fairness he didn't say sudo would be a problem that I saw, just that he didn't want to add a user into sudo.
And actually to recap is criteria:
Quote:
- launch a script that can run commands as root from an unprivleged user session
- does not want to create a user with root privileges
- run silently, no password asked
- does not want to add a user into sudo
- does not want to give rights to all users to execute the commands from that bash file
My response was more focusing on one particular part of his question.
Quote:
I have tried SUID option witch would had been good as functionality but I understand that SUID doesn't work for script bash files.
But I agree, the best way would be to use sudo. Perhaps the OP would like to explain why he doesn't want to add a user into sudo?
I know, you're not the author, nomb, but sorry doesn't take away possible results, so let us just hope no one really used that solution from over here and if someone did, then luckily that code didn't work(because it works on debian even without setuid and setgid calls, probably an author used debian or other similar system supporting that).
I know, you're not the author, nomb, but sorry doesn't take away possible results, so let us just hope no one really used that solution from over here and if someone did, then luckily that code didn't work(because it works on debian even without setuid and setgid calls, probably an author used debian or other similar system supporting that).
Oh I wasn't apologizing for the code. It wasn't a fabricated ready to use solution. Again it was to point the OP in a possible solution to his problem that suid scripts don't run the contained commands as root; but was up to him to go read through that thread which is why I made sure to include it. I was however apologizing that I didn't read over my post as well as I should have before posting it and put in a line saying that he should go read through the thread before using it in a solution.
On another topic, that is interesting it works in Debian like that. I just tried on RHEL 5 and Arch and they both required the setuid(0) to be in the c code.
Thank you nomb, you first answer is exactly what I was looking for. To be honest I was hoping for a more elegant and simple solution. Nevertheless, it works for me.
Why is it necessary?
Very simple: I have multiple numerous persons logging in as the same unprivileged user. Making a different user on the station for everyone is physically impossible. In the same time they must be able to run as root a very small and quite specific commands like "iptables -L" with a limited predefined number of parameters. They will not have write permissions on the C compiled file. And to answer to those who thinks it's a security risk, I totally disagree, since:
- they will have only execute privileges (cannot write, rename delete the bin file);
- they can run the file with a strict predefined (in form and number) parameters at a strictly controlled time and conditions (the bin file will validate the request from the unprivileged user if a certain file exists, etc);
On the other hand, sudo would be a massive security risk, since they will be able to run all the commands included in my case in the C file, in any order, at their will. Root actually loses any control.
I'm only sorry I cannot do this in a bash file. It would have been easier for me to debug an modify the small scripts....
Thank you nomb, you first answer is exactly what I was looking for. To be honest I was hoping for a more elegant and simple solution. Nevertheless, it works for me.
Why is it necessary?
Very simple: I have multiple numerous persons logging in as the same unprivileged user. Making a different user on the station for everyone is physically impossible. In the same time they must be able to run as root a very small and quite specific commands like "iptables -L" with a limited predefined number of parameters. They will not have write permissions on the C compiled file. And to answer to those who thinks it's a security risk, I totally disagree, since:
- they will have only execute privileges (cannot write, rename delete the bin file);
- they can run the file with a strict predefined (in form and number) parameters at a strictly controlled time and conditions (the bin file will validate the request from the unprivileged user if a certain file exists, etc);
On the other hand, sudo would be a massive security risk, since they will be able to run all the commands included in my case in the C file, in any order, at their will. Root actually loses any control.
I'm only sorry I cannot do this in a bash file. It would have been easier for me to debug an modify the small scripts....
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.