Solved

How can I run script with root privileges?

Posted on 2004-10-04
17
17,263 Views
Last Modified: 2013-12-04
How can I run script with root privileges?
How can I make a script that any user can run it? This script makes log files that stored on the root volume [no one of the user can read it more modified these logs]
I don’t want to use su command inside the script as I store the current user info inside these log files

thank you
0
Comment
Question by:nilehawk
  • 5
  • 5
  • 3
  • +3
17 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 12217500
I'm not entirely sure what you are after, I think the application you want is sudo
http://www.courtesan.com/sudo/
This allows non root users to run commands with elevated privilidges.
If you can be more specific  - Unix version, exaclt how you are interacting with the logs etc
0
 

Author Comment

by:nilehawk
ID: 12217614
Hi
My UNIX is Solaris 8 and/or freeBSD
My script is added to the user profile for monitoring  
My script is simple:

script /"`date`".log
who i am
clear


thank you
0
 
LVL 18

Expert Comment

by:liddler
ID: 12217702
once you have created you script, you need to set the setuid bit (the sticky bit)
chmod a+s my_script
This sets the effective UID for that script to root, but will not allow the user to delete / edit the log file
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217934
whoa rather than allow users to run the logging application as root (which is a security mine field) a better solution would be to change the access permission where the data is written to.
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217958
look into what you can do with syslog maybe pipe the output to another sever
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217985
http://www.gentoo.org/doc/en/gentoo-security.xml I konw you dont run gentoo or linux but there is an excellent section on logging and its a good security document
0
 
LVL 18

Expert Comment

by:liddler
ID: 12218043
paranoidcookie, I think the issue is allowing the user to create and write to a file from a given script, but not be able to remove / modify them.  I agree that setuid flags can be a security issue.

I seem to remember reading about freeBSD having an append only mode for log files, specifically for this kind of thing, but I've never used it...
I read it in Andrew Lockhart's excellent Network Security Hacks (http://www.amazon.co.uk/exec/obidos/ASIN/0596006438/qid=1096902875/ref=sr_8_xs_ap_i1_xgl/026-5326540-2508456)
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12218112
I understand that I am just urging that he dosnt replace one security hole with another.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 18

Expert Comment

by:liddler
ID: 12218252
;-)
Good point, it always helps to be paranoid
0
 

Author Comment

by:nilehawk
ID: 12225172
Hi  liddler

I already try the setuid bit (the sticky bit) chmod a+s mon.ssh before posting my question
But when I run it as a user I got permission denied error message. so can i do?

Hi paranoidcookie

I want to user to run the script as root so that they can’t delete their log [if they are doing something wrong and do not want to be tracked]
I think there will be no security hole as the script will be invisible to the users.
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12225214
I think youll find simply having setuid programs on the system is a security hole, you would be much better advised to plug into one of the existing logging systems then to reinvent the wheel and write your own potencially unsecure one.
0
 
LVL 18

Expert Comment

by:liddler
ID: 12225245
OK,
File must be owned by root
chown root mon.sh
then
chmod a+s mon.sh

also you need the shell at the beginning of the script.

Also I'd tidy up the date format, your's has spaces in it, not easy to housekeep..
..Also, try not to put log file in /, you never want to fill that disk, the standard is to use /var
So this worked for me:

#!/usr/bin/ksh
script /var/"`date +%d-%m-%y_%H:%m`".log
who i am
clear



ls -l mon.sh
-rwsr-sr-x   1 root     other         72 Oct  5 11:20 mon.sh


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12230455
AFAIK Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
I'm not shure for FreeBSD.

a discussion can be read at http://www.experts-exchange.com/t/Q_20225050.html

On Solaris you can use ndd, IIRC there is a switch to allow SUID scripts (sorry can't remember), and there is a trick using /dev/fd instead of the hashbang mechanism, can't remember too ('cause I'm security paranoid:)
0
 
LVL 48

Expert Comment

by:Tintin
ID: 12230611
Solaris (and a lot of other Unix flavours) don't allow SUID scripts.

sudo still seems like the most sensible answer.
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points
ID: 12256217
script /"`date`".log
who i am
clear


ths does not require sudo or whatever, though sudo is great tool

just use group writable log file, or use date | loggger, to have general-purpose syslog to be used for logging.

0
 
LVL 61

Expert Comment

by:gheist
ID: 12256231
some systems do not like setuid script files, so sudo should be used when adjusting script to run with normal privilege is not an option
0
 

Author Comment

by:nilehawk
ID: 12270103
Dear all thank you for your help
liddler thank you for your comments, I used chmod and chown but still don’t have permission. I think ahoffmann is correct Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
 
gheist give us the correct answer, we don’t have to reinvent the weal. I will use syslog thank you
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
OfficeMate Freezes on login or does not load after login credentials are input.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now