Hi.

I need to launch a bash file in Linux from an unprivileged user session, file that will run bash commands as root. But I do not want to create an user with root privileges to do that also the process must be silent (no password asked).

How can I do this without adding a user in sudoers and without giving rights to all users to execute the commands from that bash file?

I have tried SUID option witch would had been good as functionality but I understand that SUID doesn't work for script bash files.

Merci
Julia

chown root:root bash_file
chmod 755 bash_file

All users will be able to execute the bash_file but not run any separate commands from inside it. But any files created by that script will be owned by root.

If you mean what I think you mean

The sell script will not create, modify or alter any other file. It must be able to run commands like iptables -L

What you can do is call your script from a little c wrapper that is suid root.

I've used this trick quite a few times.

Source: stackoverflow.com

nomb

0 members found this post helpful.

Oh dear God!.. NOOOOO!

Think what would happen if I as a non privileged user did
If you must do this sort of thing, use absolute filepaths!


You also need to make sure you sanitise important environment variable right at the beginning of the script. PATH and IFS being two key ones, and be very careful about how you code the script.

You'll also need to ensure that only authorised people have execute permission on the wrapper binary.

2 members found this post helpful.

Yet another malicious advice.
nomb please don't use root privileges unless you learn the basics.

About that wrapper prog(if you're planning to use that): you will also need to ensure that shell script is owned by root and has 0700 permissions since it's being read and executed as root, no need to make it readable for everyone. And take care of permissions for the directory in which it resides so that noone can remove it and replace with own script.

Don't mind security implication, are you sure it will work at all ?
I think setuid(0) before system() is missing.

And back to security - how having one more suid root executable is better/more convinience than just configuring sudo ?

1 members found this post helpful.

I'd like to know why you think sudo would be a problem; its' exactly the sort of issue it was designed to handle...

You are absolutely correct. I was just showing an example of an alternative method and didn't really quality check it as good as I should have. Actually, I just copied the code from the originating source and wouldn't recommend using it verbatim without some modifications but wanted to show the concept. But that is why I showed the source of where that was from in hopes that the OP would go read all the comments.

I think you need to re-think your apparent definition of "malicious advice". And I find it funny that you think you know how much I know.

Yes again I was just pointing him to an example of an alternative. Meaning the site I sourced to not the code itself. This is probably my worst post ever but I was running really really late and wanted to reply before I forgot, sorry about that guys.

Anyway I was hoping the OP would goto the sourced site and read. The very first comment on that site is:

Yea I was wondering that myself. Although in all fairness he didn't say sudo would be a problem that I saw, just that he didn't want to add a user into sudo.

And actually to recap is criteria:

My response was more focusing on one particular part of his question.

But I agree, the best way would be to use sudo. Perhaps the OP would like to explain why he doesn't want to add a user into sudo?

Yep, I guessed as much. From what you posted, it was quite clear that you weren't the original author of that monstrosity,

I know, you're not the author, nomb, but sorry doesn't take away possible results, so let us just hope no one really used that solution from over here and if someone did, then luckily that code didn't work(because it works on debian even without setuid and setgid calls, probably an author used debian or other similar system supporting that).

Oh I wasn't apologizing for the code. It wasn't a fabricated ready to use solution. Again it was to point the OP in a possible solution to his problem that suid scripts don't run the contained commands as root; but was up to him to go read through that thread which is why I made sure to include it. I was however apologizing that I didn't read over my post as well as I should have before posting it and put in a line saying that he should go read through the thread before using it in a solution.

On another topic, that is interesting it works in Debian like that. I just tried on RHEL 5 and Arch and they both required the setuid(0) to be in the c code.

Thank you nomb, you first answer is exactly what I was looking for. To be honest I was hoping for a more elegant and simple solution. Nevertheless, it works for me.
Why is it necessary?
Very simple: I have multiple numerous persons logging in as the same unprivileged user. Making a different user on the station for everyone is physically impossible. In the same time they must be able to run as root a very small and quite specific commands like "iptables -L" with a limited predefined number of parameters. They will not have write permissions on the C compiled file. And to answer to those who thinks it's a security risk, I totally disagree, since:
- they will have only execute privileges (cannot write, rename delete the bin file);
- they can run the file with a strict predefined (in form and number) parameters at a strictly controlled time and conditions (the bin file will validate the request from the unprivileged user if a certain file exists, etc);
On the other hand, sudo would be a massive security risk, since they will be able to run all the commands included in my case in the C file, in any order, at their will. Root actually loses any control.

I'm only sorry I cannot do this in a bash file. It would have been easier for me to debug an modify the small scripts....

Julia

Thank you nomb, you first answer is exactly what I was looking for. To be honest I was hoping for a more elegant and simple solution. Nevertheless, it works for me.
Why is it necessary?
Very simple: I have multiple numerous persons logging in as the same unprivileged user. Making a different user on the station for everyone is physically impossible. In the same time they must be able to run as root a very small and quite specific commands like "iptables -L" with a limited predefined number of parameters. They will not have write permissions on the C compiled file. And to answer to those who thinks it's a security risk, I totally disagree, since:
- they will have only execute privileges (cannot write, rename delete the bin file);
- they can run the file with a strict predefined (in form and number) parameters at a strictly controlled time and conditions (the bin file will validate the request from the unprivileged user if a certain file exists, etc);
On the other hand, sudo would be a massive security risk, since they will be able to run all the commands included in my case in the C file, in any order, at their will. Root actually loses any control.

I'm only sorry I cannot do this in a bash file. It would have been easier for me to debug an modify the small scripts....

Julia

You're welcome.

nomb