How to run a script as root upon login
 

Hello. I have a basic ssh server, and I want to make it run a script to send me an email whenever anyone logs in, so I can keep an eye on what's happening (it won't have a high frequency of logins).

In order to do this I wrote a small script which is called from /etc/profiles which sends an email using "nail". Unfortunatly to do this, nail needs the smpt password, so I don't want the script to be visible to a non-root user.

I tried setting the script as -rwx--x--x, but it seems you can't just have 'execute' since this always gives "permission denied". I tried calling it from an intermediate script, and giving the intermediate script the s-permission like so: -rwsr-sr-x

but it doesn't give the user temporary root access rights - probably because it doesn't see the script as a whole program, rather as individual commands, so looses the s-root permission straight away.

Does anyone know how I can get this to work? I'm out of ideas.

Many thanks.

I'm not really sure what you could do about that. It may be easier to simply check the logs every now and then. Also, there are utilities out there to automate the process of checking logs, so it may be easier to go that route instead of worrying about the script.

Sorry I can't be of more help.

Matt

Why use mail? Wouldn't it be easier just to look at the logs?

Opps: Sorry -- I didn't read Maestro485's reply before posting.

did you try sudo? You can limit root access to specific things with sudo. User logs in, your script is executed with sudo.. or am I misunderstanding?

Interesting point. You could create a dummy user with sudo access only to the script which may limit any security concerns. However, I'm not very experienced with sudo since I don't use it much myself, so I cannot vouch for how secure this solution is. Maybe someone else can help?

Matt

Thank you all very much for your responses. With your help I have managed to figure it out - the answer is as follows:

I added the 'james' line to my /etc/sudoers file to read:

where newlogin.csh is the send-mail script. Sure enough, this allows james to run the program, but a "sudo more /etc/newlogin.csh" doesn't allow it to be read. I can add this for each user.

Many thanks for your help!

Did you put "james" into any special group, or just users?

I ask because I'm contemplating a similar thing, but I want my
"james" to be able to execute as few things as possible,
preferably _only_ my special script. I though maybe he should
be in group "nobody" or "nogroup". He'll still be able to
execute bash builtins, but I'd like to restrict him as much as possible.

Any ideas?

Thanks,
-bbeers

Hi bbeers,

My "james" is just in the standard users group, and he is only able to sudo my special /etc/newlogin.csh script - he can't even view what's inside the script.

What happens when you want to allow the user to sudo 2 or more different commands, I don't know (maybe they're separated by spaces or commas or something - I couldn't figure that out (if you figure it out, let me know)).

I also found http://www.courtesan.com/sudo/sample.sudoers useful - it can get quite complicated, what you can do with this command.

Hope that helps!