run script at login that requires root privileges

Eredeath · 08-03-2010, 05:31 PM

I have the script below that I want to run when my sister logs into her account. But the problem is that `ifconfig up` or `ifconfig down` requires root privileges. How do I initiate the program when she logs in and have root the the runner of the program. I'm running Ubuntu BTW.

Code:

#!/bin/bash

while true
do
	elevenpm=`date +%s --date "2300"`
	sevenam=`date +%s --date "0700"`
	timenow=`date +%s`
	if [[ ($timenow -gt $sevenam) && ($timenow -lt $elevenpm) ]]; then
		echo "Internet is up"
		`ifconfig eth0 up`
	else
		echo "Internet is going down"
		`ifconfig eth0 down`
	fi 
	sleep 5m

done

rigor · 08-03-2010, 06:59 PM

If you simply wish to take eth0 up or down at a certain time, I would simplify things by placing those commands in a crontab.

Eredeath · 08-03-2010, 07:32 PM

But I only want it to happen when my sister is logged on. If I'm on I don't want to take down eth0.

rigor · 08-03-2010, 09:46 PM

OK, well if there is no issue with you *and* your sister possibly being logged on at the same time,
and if you don't expect your sister to find and exploit what you put in the script, you can configure
the sudoers file to allow her account to "sudo" to run ifconfig, or a script that runs ifconfig, or
you could have a setuid program, there are a variety of approaches.

John VV · 08-04-2010, 01:35 AM

seeing as you want to play a prank on your sis.
do some research and LEARN something and do it your self AFTER you have learned how to do that.

Gortex · 08-04-2010, 11:20 AM

im at work so if this is the wrong answer sorry, but if i recall correct:
set the owner of the script as root
and then use the setuid command with in the script just man setuid. Another way to go at this that is kind of a way around it is
vi sudo then add the program and your sister to the list but then you are giving her root access not just the script. could be scary.

Also I would like to point out that we don't know what the OP is actually doing maybe his sister is 12 years old and he is 30 something,
and his mother called him up to come over and limit Internet access for his younger sisters during hours she should be sleeping or something to that effect.

Eredeath · 08-04-2010, 04:39 PM

Quote:

Originally Posted by Gortex

im at work so if this is the wrong answer sorry, but if i recall correct:
set the owner of the script as root
and then use the setuid command with in the script just man setuid. Another way to go at this that is kind of a way around it is
vi sudo then add the program and your sister to the list but then you are giving her root access not just the script. could be scary.

Also I would like to point out that we don't know what the OP is actually doing maybe his sister is 12 years old and he is 30 something,
and his mother called him up to come over and limit Internet access for his younger sisters during hours she should be sleeping or something to that effect.

Your close, I'm 24 and my sister (15) is coming to stay with me for a month and keeping with rules she normally has at home I want to set up the Internet to shut down after 11pm. Since I'm usually long asleep by then I can't just tell her to get off.
I'll look into the setuid command and post an update a little later.

forrestt · 08-04-2010, 05:03 PM

NEVER set a script suid. Binaries, yes. Scripts, NO!!!!

That said, the best solution I can think of is to put the following into the sudoers file:

Code:

sisuser ALL=(root) NOPASSWD: /sbin/ifconfig eth0 down, /sbin/ifconfig eth0 up

This can be done most easily by running:

Code:

echo 'sisuser ALL=(root) NOPASSWD: /sbin/ifconfig eth0 down, /sbin/ifconfig eth0 up' >> /etc/sudoers

You will then want to change your script to put sudo in front of the ifconfig commands.

HTH

Forrest

p.s. this line translates to your sister's account can from all systems become root to run the two commands without a password. However, you need to make sure that she can't edit the file that is launching the script to not run it.

theNbomr · 08-04-2010, 06:40 PM

Since your objective is to terminate the ethernet, a cron job, running as root can serve the purpose. If run periodically (say, every five minutes) during the curfew period, and only shutting down if the selected user is logged in, then turning back on after the end of the curfew period, it should do the job.

--- rod

Eredeath · 08-04-2010, 07:27 PM

Quote:

Originally Posted by forrestt

NEVER set a script suid. Binaries, yes. Scripts, NO!!!!

That said, the best solution I can think of is to put the following into the sudoers file:

Code:

sisuser ALL=(root) NOPASSWD: /sbin/ifconfig eth0 down, /sbin/ifconfig eth0 up

This can be done most easily by running:

Code:

echo 'sisuser ALL=(root) NOPASSWD: /sbin/ifconfig eth0 down, /sbin/ifconfig eth0 up' >> /etc/sudoers

You will then want to change your script to put sudo in front of the ifconfig commands.

HTH

I tried this... but it looks like i need to add her to the sudo group, and i'm not too keen on doing that.

Why don't I want to use setuid on scripts.

Eredeath · 08-04-2010, 07:52 PM

So I found a solution on this website:
http://www.tuxation.com/setuid-on-shell-scripts.html
I created a program in c to run the script as root. Seems to work.

estabroo · 08-04-2010, 07:56 PM

Couldn't you do this pretty easily in iptables with some time and user rules?

for the user stuff you can use -m owner to identify apps running as her and for the time stuff I think -m time

something like

iptables -A OUTPUT -m owner --uid-owner her_uid -m time --timestart 23:00 --timestop 07:00 -j DROP

Then you'd be able to surf without interruption but she'd be blocked during those times

Eredeath · 08-04-2010, 08:24 PM

Quote:

Originally Posted by estabroo

Couldn't you do this pretty easily in iptables with some time and user rules?

for the user stuff you can use -m owner to identify apps running as her and for the time stuff I think -m time

something like

iptables -A OUTPUT -m owner --uid-owner her_uid -m time --timestart 23:00 --timestop 07:00 -j DROP

Then you'd be able to surf without interruption but she'd be blocked during those times

Thanks, I'll have to try that tomorrow. Lucky i still have a few days before she comes up.

Gortex · 08-04-2010, 10:44 PM

Quote:

Originally Posted by Eredeath

I tried this... but it looks like i need to add her to the sudo group, and i'm not too keen on doing that.

Why don't I want to use setuid on scripts.

The reason is security issues. Scripts can do some nasty things on your box with suid of root. With that being said though if you only have two logins(yours and your sisters) and are behind a nat box ( Network address translation) with no dmz ( which 90% of the world probably is) and have no ports forwarded to your box have, basically no outside access. You are perfectly safe doing it, being that you are the one writing the script and never have to worry about someone trying to plant a Trojan. Yes I would agree with the guy above its bad form to do so, but its not like its going to give someone, instant access to your box. There are somethings I want scripts to do for my home box that i think a binary is a little over kill, pluss having to recompile from source for minor changes on somethings can suck. like having a script that Rsyncs multipliable directories ( around 100) to another server. If I had to recompile that from source every time I would go crazy. To many source files to keep up with already. At my work we use the sudoers trick as a workaround, but there are only 3 people in the list and we are all three programmers and basically the whole IT department besides our department manager which isn't in the file ironically...

Adding your sister to the sudoers file doesnt necessarily give her root access... A better way to do this is make a group then add that group to the sudoers file and set it only able to run ifconfig with out the sudo password. then the script will work fine, and in turn fixes you having now two separate scripts to do one thing. let me know and ill post an example if needed..