Running a script as root with sudo without entering the user password

kloss · 10-08-2005, 11:48 AM

Hi
I have a script to start a VPN client. I want a normal user ("boss") to be able to run the script without entering any password. I try to play with NOPASSWD in /etc/sudoers, but it doesn't work. When "boss" runs the scripts, he always has to enter his password.

Here is the script (home/boss/it/connect_vpn.sh) :

Code:

sudo /etc/init.d/vpnclient_init start
sudo vpnclient connect inside user foo pwd bar

Here is /etc/sudoers :

Code:

# Members of the admin group may gain root privileges
%admin          ALL=(ALL) ALL
boss            ALL=NOPASSWD:/home/boss/it/connect_vpn.sh

Here is the output of "uname -a" and "id" for "boss":

Code:

Linux ubuntu 2.6.10-5-386 #1 Fri Sep 23 14:13:55 UTC 2005 i686 GNU/Linux
uid=1000(boss) gid=1000(boss) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(lpadmin),108(scanner),109(admin),1000(boss)

Thanks a lot for your help, i'm looking for a solution for a while without success

++

nixcraft · 10-08-2005, 12:27 PM

Try as follows:

Code:

boss            localhost= NOPASSWD:/home/boss/it/connect_vpn.sh

Hope this helps.

kloss · 10-08-2005, 12:38 PM

Unfortunately, it doesn't.

Thanks

spooon · 10-08-2005, 02:57 PM

How about a different approach: make the file owned by root, and then turn on the setuid bit on the permissions, and give everyone executable permission.

kloss · 10-08-2005, 03:33 PM

Well, I can be wrong, but I think this approach works well with binaries but not with shell scripts. What annoys me is that I'm sure there is a simple trick to do that.
++

berbae · 10-09-2005, 12:37 PM

In the /etc/sudoers file enter the individual commands of the script instead of the name of the script :

Code:

boss   ALL=NOPASSWD: /etc/init.d/vpnclient_init start, vpnclient connect inside user foo pwd bar

because it is these individual commands that are sudoed not the entire script

Hope this will resolve the problem.
Regards.

kloss · 10-09-2005, 03:15 PM

Yes it works ! Thanks, you rock.

(To be exact, I had to add the full path of the file "vpnclient".)

Btw, visudo is really unconvenient - gedit did the job.

++

Hangdog42 · 10-10-2005, 07:24 AM

While you can edit sudoers without using visudo, it really isn't that good an idea. The main reason is that visudo checks the syntax of the sudoers file when you quit and alerts you to any borked entries.

That said, I completely agree that vi is quite possibly the worst text editor ever. However, there is a way to use a different text editor within visudo, provided visudo was compiled with the right options.

Before starting visudo, enter the following line:

export EDITOR=pico (or nano or joe or whatever your favorite console text editor is).

If visudo was compiled right, it checks the $EDITOR environment variable and uses that editor and will default to vi if $EDITOR is not set.

kloss · 10-10-2005, 11:39 AM

OK, Thanks for the tip.

++