LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-20-2014, 02:23 PM   #1
devUnix
Member
 
Registered: Oct 2010
Posts: 606

Rep: Reputation: 59
Run a Root Command without Sudo


Hi!

The Dev Team is requesting to assign privileges to a user "jack" to start / stop this service: "/etc/init.d/jackapp" without having to use the prefix "sudo". When they run the command:

/etc/init.d/jackapp start

they get the following error:

‘runuser: cannot set groups: Operation not permitted’.

Is their request legitimate? I mean, won't we need to use "sudo" before running any service found in the "/etc/init.d/" directory if we are not the root user?

If there is a solution? Then what is it?
 
Old 05-20-2014, 02:39 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
Yes - they need to run sudo for anything in /etc/init.d (mainly because some of what it does requires root access to execute or to write some files like /var/run and /var/lock on some distros). You DO not want to give global access to /etc/init.d.

If what they're trying to do is automate the job to avoid having to input the password you can set up sudo for that specific job for a specific administrative user to run sudo without a password.

If what is in the init script doesn't require root to run (which might be seen if it contains "su - <user> -c <command>" lines you could create a separate script owned by that admin user and tell them to use it instead.
 
Old 05-20-2014, 02:41 PM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,659

Rep: Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915
Quote:
Originally Posted by devUnix View Post
Hi!
The Dev Team is requesting to assign privileges to a user "jack" to start / stop this service: "/etc/init.d/jackapp" without having to use the prefix "sudo". When they run the command:

/etc/init.d/jackapp start

they get the following error:

‘runuser: cannot set groups: Operation not permitted’.

Is their request legitimate? I mean, won't we need to use "sudo" before running any service found in the "/etc/init.d/" directory if we are not the root user? If there is a solution? Then what is it?
While it's true that the services in /etc/init.d usually require root privileges to run, it *MIGHT* be possible to look at the jackapp script, and see what the start function is actually doing. If it's starting a service that doesn't absolutely NEED root privileges, then they can make a copy of that script elsewhere, and use it. Otherwise, they will have to use sudo.

Based on your other thread about your 'dev team' and their scripts, they do not appear to be very competent. Trying to shove in work-arounds, and circumvent system security are both VERY BAD THINGS.
 
Old 05-20-2014, 02:46 PM   #4
devUnix
Member
 
Registered: Oct 2010
Posts: 606

Original Poster
Rep: Reputation: 59
Quote:
Originally Posted by MensaWater View Post
Yes - they need to run sudo for anything in /etc/init.d (mainly because some of what it does requires root access to execute or to write some files like /var/run and /var/lock on some distros). You DO not want to give global access to /etc/init.d.

If what they're trying to do is automate the job to avoid having to input the password you can set up sudo for that specific job for a specific administrative user to run sudo without a password.

If what is in the init script doesn't require root to run (which might be seen if it contains "su - <user> -c <command>" lines you could create a separate script owned by that admin user and tell them to use it instead.
In the script I found this:

Code:
# egrep -i 'su|var' /etc/init.d/jackapp
PIDFILE_DIR=/var/run/$prog
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
        if [ -e /var/lock/subsys/$prog ]; then
                echo  "Init script Subsys is locked"
                echo "Init script Subsys is not locked"
I also checked that the user is a local one and there is no sudo file found in the directory "/etc/sudoers.d/" for this user or its group.

Code:
# grep -i jackapp /etc/sudoers.d/*
# <No Output Returned>
The script is owned by the user:

Code:
# ls -l /etc/init.d/jackapp
-rwxrwxrwx 1 jack root 2005 May 20 09:49 /etc/init.d/jackapp

As I have observed: running their application starts tomcat as well.

Last edited by devUnix; 05-20-2014 at 02:56 PM.
 
Old 05-20-2014, 03:05 PM   #5
devUnix
Member
 
Registered: Oct 2010
Posts: 606

Original Poster
Rep: Reputation: 59
Well, I wrote to my boss what we discussed above. And here is his reply:

Code:
Short answer is NO. We will not authorize anyone outside of Sysops team to have full root privilege on any Linux server.

They need to fix the script.
So, I think this thread can be closed.

Thanks for your views!
 
Old 05-20-2014, 03:08 PM   #6
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,590

Rep: Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908
Quote:
Originally Posted by devUnix View Post
In the script I found this:

Code:
# egrep -i 'su|var' /etc/init.d/jackapp
The error message you posted indicates the script is using runuser(1), not su or sudo.
 
Old 05-20-2014, 03:28 PM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
You really shouldn't have 777 permissions on any files - especially init scripts and sure as hell shouldn't have those permissions on any script that would be executed with root permissions via sudo or other tools. Anyone could modify the script to add something like "su -" and then when they ran it they'd be root.
 
Old 05-21-2014, 02:16 AM   #8
johnsoto
LQ Newbie
 
Registered: May 2014
Location: USA
Posts: 4

Rep: Reputation: Disabled
you need to "root" access to execute "/etc/init.d/jackapp".
 
Old 05-21-2014, 02:30 AM   #9
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,258

Rep: Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457Reputation: 5457
sudo is used to give someone access to execute a given app as soneone else (not as himself), but sudo does not mean full root privilege at all. sudo is the solution to specify special rights instead of full access.
I cannot say anything else just read the man page, the DESCRIPTION of sudo.
 
Old 05-21-2014, 08:02 AM   #10
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
sudo is in fact a great tool and one should not be afraid to use it but one should be cautious in the grants.

Giving someone "sudo vi" for example would be a very bad idea because doing shell out of vi running as root would mean you'd b in a root shell. Similarly as I mentioned before one shouldn't give sudo access to shell scripts unless they can NOT be edited by anyone but root which is part of why I said files shouldn't be setup with 777 permissions.
 
1 members found this post helpful.
Old 05-22-2014, 03:29 AM   #11
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,524
Blog Entries: 3

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
granularity of sudoers

Quote:
Originally Posted by devUnix View Post
Well, I wrote to my boss what we discussed above. And here is his reply:

Code:
Short answer is NO. We will not authorize anyone outside of Sysops team to have full root privilege on any Linux server.

They need to fix the script.
...
Best would be if they modify the script. However ...

I would like to point out that granting sudo access does not mean that they have to get full root privilge on the server: the dev team can hand the script off to the sysops team who, after auditing the script, can place it in /usr/local/sbin/ where the dev team can read it but not write it and then add a line such as the following to /etc/sudoers

Code:
%devteam ALL=(ALL) /usr/local/sbin/jackapp start, /usr/local/sbin/jackapp stop
As long as they don't get write access to the script in /usr/local/sbin/ after it is audited things should be good.
 
2 members found this post helpful.
Old 05-22-2014, 08:47 AM   #12
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,659

Rep: Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915Reputation: 6915
Quote:
Originally Posted by Turbocapitalist View Post
Best would be if they modify the script. However ...
I would like to point out that granting sudo access does not mean that they have to get full root privilge on the server: the dev team can hand the script off to the sysops team who, after auditing the script, can place it in /usr/local/sbin/ where the dev team can read it but not write it and then add a line such as the following to /etc/sudoers
Code:
%devteam ALL=(ALL) /usr/local/sbin/jackapp start, /usr/local/sbin/jackapp stop
As long as they don't get write access to the script in /usr/local/sbin/ after it is audited things should be good.
+1 for this..absolutely agree.

One of the great things about sudo is the fine-grained control you can have, and this is a good example. They can run ONE COMMAND, nothing more. Any 'workarounds' are much less elegant (and harder to maintain), than this.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 03:48 PM
run command after sudo -s figure20012 Linux - Newbie 3 08-30-2012 07:37 PM
sudo cd /root gives 'sudo: cd: command not found'. stf92 Linux - Newbie 4 03-03-2012 09:05 AM
(Sudo) command can't run by sudo rahilmaknojia Linux - Server 8 06-25-2010 09:30 AM
can't run app w/ sudo command fatblueduck Linux - Software 2 09-30-2005 07:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration