LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Run a Root Command without Sudo (https://www.linuxquestions.org/questions/linux-server-73/run-a-root-command-without-sudo-4175505593/)

devUnix 05-20-2014 02:23 PM

Run a Root Command without Sudo
 
Hi!

The Dev Team is requesting to assign privileges to a user "jack" to start / stop this service: "/etc/init.d/jackapp" without having to use the prefix "sudo". When they run the command:

/etc/init.d/jackapp start

they get the following error:

‘runuser: cannot set groups: Operation not permitted’.

Is their request legitimate? I mean, won't we need to use "sudo" before running any service found in the "/etc/init.d/" directory if we are not the root user?

If there is a solution? Then what is it?

MensaWater 05-20-2014 02:39 PM

Yes - they need to run sudo for anything in /etc/init.d (mainly because some of what it does requires root access to execute or to write some files like /var/run and /var/lock on some distros). You DO not want to give global access to /etc/init.d.

If what they're trying to do is automate the job to avoid having to input the password you can set up sudo for that specific job for a specific administrative user to run sudo without a password.

If what is in the init script doesn't require root to run (which might be seen if it contains "su - <user> -c <command>" lines you could create a separate script owned by that admin user and tell them to use it instead.

TB0ne 05-20-2014 02:41 PM

Quote:

Originally Posted by devUnix (Post 5174287)
Hi!
The Dev Team is requesting to assign privileges to a user "jack" to start / stop this service: "/etc/init.d/jackapp" without having to use the prefix "sudo". When they run the command:

/etc/init.d/jackapp start

they get the following error:

‘runuser: cannot set groups: Operation not permitted’.

Is their request legitimate? I mean, won't we need to use "sudo" before running any service found in the "/etc/init.d/" directory if we are not the root user? If there is a solution? Then what is it?

While it's true that the services in /etc/init.d usually require root privileges to run, it *MIGHT* be possible to look at the jackapp script, and see what the start function is actually doing. If it's starting a service that doesn't absolutely NEED root privileges, then they can make a copy of that script elsewhere, and use it. Otherwise, they will have to use sudo.

Based on your other thread about your 'dev team' and their scripts, they do not appear to be very competent. Trying to shove in work-arounds, and circumvent system security are both VERY BAD THINGS.

devUnix 05-20-2014 02:46 PM

Quote:

Originally Posted by MensaWater (Post 5174294)
Yes - they need to run sudo for anything in /etc/init.d (mainly because some of what it does requires root access to execute or to write some files like /var/run and /var/lock on some distros). You DO not want to give global access to /etc/init.d.

If what they're trying to do is automate the job to avoid having to input the password you can set up sudo for that specific job for a specific administrative user to run sudo without a password.

If what is in the init script doesn't require root to run (which might be seen if it contains "su - <user> -c <command>" lines you could create a separate script owned by that admin user and tell them to use it instead.

In the script I found this:

Code:

# egrep -i 'su|var' /etc/init.d/jackapp
PIDFILE_DIR=/var/run/$prog
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
        if [ -e /var/lock/subsys/$prog ]; then
                echo  "Init script Subsys is locked"
                echo "Init script Subsys is not locked"

I also checked that the user is a local one and there is no sudo file found in the directory "/etc/sudoers.d/" for this user or its group.

Code:

# grep -i jackapp /etc/sudoers.d/*
# <No Output Returned>

The script is owned by the user:

Code:

# ls -l /etc/init.d/jackapp
-rwxrwxrwx 1 jack root 2005 May 20 09:49 /etc/init.d/jackapp


As I have observed: running their application starts tomcat as well.

devUnix 05-20-2014 03:05 PM

Well, I wrote to my boss what we discussed above. And here is his reply:

Code:

Short answer is NO. We will not authorize anyone outside of Sysops team to have full root privilege on any Linux server.

They need to fix the script.

So, I think this thread can be closed.

Thanks for your views! :)

ntubski 05-20-2014 03:08 PM

Quote:

Originally Posted by devUnix (Post 5174302)
In the script I found this:

Code:

# egrep -i 'su|var' /etc/init.d/jackapp

The error message you posted indicates the script is using runuser(1), not su or sudo.

MensaWater 05-20-2014 03:28 PM

You really shouldn't have 777 permissions on any files - especially init scripts and sure as hell shouldn't have those permissions on any script that would be executed with root permissions via sudo or other tools. Anyone could modify the script to add something like "su -" and then when they ran it they'd be root.

johnsoto 05-21-2014 02:16 AM

you need to "root" access to execute "/etc/init.d/jackapp".

pan64 05-21-2014 02:30 AM

sudo is used to give someone access to execute a given app as soneone else (not as himself), but sudo does not mean full root privilege at all. sudo is the solution to specify special rights instead of full access.
I cannot say anything else just read the man page, the DESCRIPTION of sudo.

MensaWater 05-21-2014 08:02 AM

sudo is in fact a great tool and one should not be afraid to use it but one should be cautious in the grants.

Giving someone "sudo vi" for example would be a very bad idea because doing shell out of vi running as root would mean you'd b in a root shell. Similarly as I mentioned before one shouldn't give sudo access to shell scripts unless they can NOT be edited by anyone but root which is part of why I said files shouldn't be setup with 777 permissions.

Turbocapitalist 05-22-2014 03:29 AM

granularity of sudoers
 
Quote:

Originally Posted by devUnix (Post 5174312)
Well, I wrote to my boss what we discussed above. And here is his reply:

Code:

Short answer is NO. We will not authorize anyone outside of Sysops team to have full root privilege on any Linux server.

They need to fix the script.

...

Best would be if they modify the script. However ...

I would like to point out that granting sudo access does not mean that they have to get full root privilge on the server: the dev team can hand the script off to the sysops team who, after auditing the script, can place it in /usr/local/sbin/ where the dev team can read it but not write it and then add a line such as the following to /etc/sudoers

Code:

%devteam ALL=(ALL) /usr/local/sbin/jackapp start, /usr/local/sbin/jackapp stop
As long as they don't get write access to the script in /usr/local/sbin/ after it is audited things should be good.

TB0ne 05-22-2014 08:47 AM

Quote:

Originally Posted by Turbocapitalist (Post 5175083)
Best would be if they modify the script. However ...
I would like to point out that granting sudo access does not mean that they have to get full root privilge on the server: the dev team can hand the script off to the sysops team who, after auditing the script, can place it in /usr/local/sbin/ where the dev team can read it but not write it and then add a line such as the following to /etc/sudoers
Code:

%devteam ALL=(ALL) /usr/local/sbin/jackapp start, /usr/local/sbin/jackapp stop
As long as they don't get write access to the script in /usr/local/sbin/ after it is audited things should be good.

+1 for this..absolutely agree.

One of the great things about sudo is the fine-grained control you can have, and this is a good example. They can run ONE COMMAND, nothing more. Any 'workarounds' are much less elegant (and harder to maintain), than this.


All times are GMT -5. The time now is 03:17 AM.