Solved

run a script as root

Posted on 2002-07-11
11
274 Views
Last Modified: 2010-04-21
We would like to call a script from within a C program that runs a bash script as the root user. The script has functions like "init q" and "fuser"  to reset a serial port from one mode (respawn)to another (off). We have the root password available to use, but not sure the best way to run the bash script as root, short of running an expect script to answer the password question.
0
Comment
Question by:medent
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7148682
simply make your call within the C program (with system() for example), then do follwoing to the compiled and linked binary:
   chmod 4555 your-prog
   chown root your-prog
0
 

Author Comment

by:medent
ID: 7148826
Thank You that helped. The binary appears to run as root, but when it calls to the shell script, the shell script does not run as root, does that make sense?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7150139
hmm, thought it works this way with scripts too ...
Try to use seteuid() in your program before calling the script. See also setsid()
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:bryanh
ID: 7151635
The shell at least some times (maybe always) resets the effective uid to the real uid when it starts up.

The point is moot in this case, though, because 'init' bases prvilege on the real uid of the sender of a command, not the effective uid.

So you just need to do setreuid (not seteuid) before doing the system().

You still need to have the setuid flag on the program, though, because otherwise it doesn't have permission to do setreuid().
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7152089
damn, missed to mention setreuid() too, thanks bryanh
0
 

Expert Comment

by:RonaldMundell
ID: 7167520
Hi

run chmod with s+u and s+g under root. this will run the script as root whom ever are running it. This is a dangerous thing to do. If your scrip gets broken the user will we loged into an console as root, be aware

ROnald
0
 
LVL 3

Expert Comment

by:DVB
ID: 7185425
Compiled binaries run as root, shell scripts don't.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7186279
> .. this will run the script as root whom ever are running it.
> Compiled binaries run as root, shell scripts don't.
General answer: NO (to both statements).

In ancient times any program (script, or not) was executed with root permissions if owned by root and SUID root.
Modern kernels prohibit SUID scripts.
You need to check the kernel settings ...
0
 
LVL 5

Expert Comment

by:bryanh
ID: 7186973
Are you sure about that?  I thought the story was that in ancient times scripts could be setuid, then in recent times they couldn't, and in modern times they can again.  It definitely varies from one Unix to another.

The issue, in case anyone following this is interested, is that on ancient Unix systems, with a setuid script, the kernel would load the interpreter (shell) and set the effective uid, and then start the interpreter and pass to it the name of the program (script).  The interpreter would then interpret the program, with the set effective uid.

The problem with that is that a malicious user might change things immediately after the interpreter starts so that the program name refers to some other non-setuid program.  
(An easy way to do this is to have the program name be a symlink and update the symlink).  Now the interpreter, running with the set effective uid, interprets some arbitrary program.

When the engineers noted that problem, they disabled setuid for an interpreted program (shell script).

But the ultimate solution is better than that:  instead of having the kernel pass the program name to the interpreter, have it keep the file open (it had to open it to find out what interpreter to invoke anyway) and pass the file handle to the interpreter.  Now the user can change names all he wants and the only program that's going to get interpreted is the one that had the setuid flag set.  I thought Linux did that.


Well, I just checked my Linux 2.2 system, and it does in fact fail any attempt to exec an interpreted program with the setuid flag set.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7187421
bryanh,
> Are you sure about that?
YES.

> It definitely varies from one Unix to another.
I agree.

Just to clear it out a bit:
  I'm not shure about the exact version where which behaviour starts (I'm still collecting this information, let me know if you have details:).

A trick to get rid of SUID programs and scripts which works on most UNIX/Linux is to use the nosuid option in /etc/[v]fstab (or the mount command itself)
0
 
LVL 3

Accepted Solution

by:
pjb1008 earned 300 total points
ID: 7251043
Writing setuid scripts is a good way to introduce security problems. Successfully cleaning up the environment (by which I mean timers, signal blocks, strange fd, as well as environment variables) is hard.

The reasonable two approaches are:
1) use a setuid program to clean up the evironment then call the script. This is what sudo does.
2) use a setuid program to pass your credentials, together with a request to run a program, to a daemon that starts the script.

(1) is fairly easy to understand and configure, as is probably part of your Linux distribution.
The advantage of (2) is that is starts the program in a known-clean environment, so you don't have to know about every trick that can be used for privilege escalation. This makes it much easier to run shell scripts that run in a different privilege domain from the calling user.

An implementation of (2) is at:
http://www.chiark.greenend.org.uk/~ian/userv/
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Help Linux centos 5.7 3 95
GUI development for Ubuntu 8 220
OS & DB Recommendation 4 51
what does daemon command do in linux 3 87
Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question