Running root commands as user

arubin · 11-07-2009, 03:30 PM

After a few hours work I have managed to set up pptd so that my daughter can log into her account at Imperial College.

My problem now is that I need to have a script that she can run if she wants to log in. She will have to invoke a couple of root commands and I do not want to give her the root password

What she needs to do to set up networking is:

Quote:

pppd call imperial dump debug logfd 2 nodetach require-mppe
/sbin/ip route add default dev ppp0

How can I enable things so that she can run this script as user?

saulgoode · 11-07-2009, 03:44 PM

If you add the following line to /etc/sudoers,

Code:

daughter ALL=NOPASSWD:/usr/sbin/pppd call imperial dump debug logfd 2 nodetach require-mppe,/sbin/ip route add default dev ppp0

then user 'daughter' will be permitted to execute "sudo /usr/sbin/pppd call imperial dump debug logfd 2 nodetach require-mppe" and "sudo /sbin/ip route add default dev ppp0" without supplying a password (if the parameters are changed at all, then the command won't run).

You will probably wish to incorporate those commands in a script, but that script can be run by your daughter and the calls to those two commands will get executed without password prompting.

Use 'man sudoers' for information on additional options.

arubin · 11-07-2009, 03:49 PM

Do I really have to use visudo to edit this rather than kdesu kate?

saulgoode · 11-07-2009, 03:55 PM

Quote:

Originally Posted by arubin

Do I really have to use visudo to edit this rather than kdesu kate?

No, you do not have to use 'visudo'; however, there are a couple of advantages.

As explained in "man 8 visudo":

Quote:

visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

arubin · 11-07-2009, 04:22 PM

So I have this in sudoers

Quote:

katy ALL=NOPASSWD:/usr/sbin/pppd call imperial dump debug logfd 2 nodetach requi
re-mppe,/sbin/ip route add default dev ppp0

but when I run the script I get

Quote:

/usr/sbin/pppd: must be root to run /usr/sbin/pppd, since it is not setuid-root

saulgoode · 11-07-2009, 04:30 PM

Does your script have a 'sudo' in front of the command?

sudo /usr/sbin/pppd call imperial dump debug logfd 2 nodetach require-mppe

arubin · 11-07-2009, 04:31 PM

I think I have solved that with chmod +s /usr/sbin/pppd

arubin · 11-07-2009, 04:39 PM

Oops! Ok added sudo

but now I have this -

Quote:

sh: pptp: command not found
Modem hangup
Connection terminated.
Script pptp vpn.ic.ac.uk --nolaunchpppd finished (pid 4226), status = 0x7f
Cannot find device "ppp0"

Do I need to add pptp to sudoers?

arubin · 11-07-2009, 04:57 PM

ln -s /usr/sbin/pptp /usr/bin/pptp

seems to solve that. Nearly there

arubin · 11-07-2009, 05:16 PM

One more problem;

Quote:

sudo /usr/sbin/pppd call imperial dump debug logfd 2 nodetach require-mppe &
sudo /sbin/ip route add default dev ppp0

in one script doesn't seem to work

If I separate them into one command in each of two scripts it is OK.

How do I get them to work togrther in one script?

arubin · 11-07-2009, 05:28 PM

Quote:

sleep 5

solved that

unSpawn · 11-07-2009, 06:05 PM

Quote:

Originally Posted by arubin

I think I have solved that with chmod +s /usr/sbin/pppd

No you didn't and you shouldn't. If the application isn't meant to be run setuid root then basically you've created a weakness. Sudo is there to avoid making mistakes like that. But what's more worrying is the idea that making anything setuid root "solves" things: I suggest you reread the most basic GNU/Linux docs again.

arubin · 11-07-2009, 07:26 PM

Yes I had realised that. The problem was that I had left sudo out of the script and I had reset it to -s when the penny dropped.