Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How can I run script with root privileges?

Posted on 2004-10-04
17
Medium Priority
?
17,319 Views
Last Modified: 2013-12-04
How can I run script with root privileges?
How can I make a script that any user can run it? This script makes log files that stored on the root volume [no one of the user can read it more modified these logs]
I don’t want to use su command inside the script as I store the current user info inside these log files

thank you
0
Comment
Question by:nilehawk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +3
17 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 12217500
I'm not entirely sure what you are after, I think the application you want is sudo
http://www.courtesan.com/sudo/
This allows non root users to run commands with elevated privilidges.
If you can be more specific  - Unix version, exaclt how you are interacting with the logs etc
0
 

Author Comment

by:nilehawk
ID: 12217614
Hi
My UNIX is Solaris 8 and/or freeBSD
My script is added to the user profile for monitoring  
My script is simple:

script /"`date`".log
who i am
clear


thank you
0
 
LVL 18

Expert Comment

by:liddler
ID: 12217702
once you have created you script, you need to set the setuid bit (the sticky bit)
chmod a+s my_script
This sets the effective UID for that script to root, but will not allow the user to delete / edit the log file
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217934
whoa rather than allow users to run the logging application as root (which is a security mine field) a better solution would be to change the access permission where the data is written to.
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217958
look into what you can do with syslog maybe pipe the output to another sever
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217985
http://www.gentoo.org/doc/en/gentoo-security.xml I konw you dont run gentoo or linux but there is an excellent section on logging and its a good security document
0
 
LVL 18

Expert Comment

by:liddler
ID: 12218043
paranoidcookie, I think the issue is allowing the user to create and write to a file from a given script, but not be able to remove / modify them.  I agree that setuid flags can be a security issue.

I seem to remember reading about freeBSD having an append only mode for log files, specifically for this kind of thing, but I've never used it...
I read it in Andrew Lockhart's excellent Network Security Hacks (http://www.amazon.co.uk/exec/obidos/ASIN/0596006438/qid=1096902875/ref=sr_8_xs_ap_i1_xgl/026-5326540-2508456)
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12218112
I understand that I am just urging that he dosnt replace one security hole with another.
0
 
LVL 18

Expert Comment

by:liddler
ID: 12218252
;-)
Good point, it always helps to be paranoid
0
 

Author Comment

by:nilehawk
ID: 12225172
Hi  liddler

I already try the setuid bit (the sticky bit) chmod a+s mon.ssh before posting my question
But when I run it as a user I got permission denied error message. so can i do?

Hi paranoidcookie

I want to user to run the script as root so that they can’t delete their log [if they are doing something wrong and do not want to be tracked]
I think there will be no security hole as the script will be invisible to the users.
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12225214
I think youll find simply having setuid programs on the system is a security hole, you would be much better advised to plug into one of the existing logging systems then to reinvent the wheel and write your own potencially unsecure one.
0
 
LVL 18

Expert Comment

by:liddler
ID: 12225245
OK,
File must be owned by root
chown root mon.sh
then
chmod a+s mon.sh

also you need the shell at the beginning of the script.

Also I'd tidy up the date format, your's has spaces in it, not easy to housekeep..
..Also, try not to put log file in /, you never want to fill that disk, the standard is to use /var
So this worked for me:

#!/usr/bin/ksh
script /var/"`date +%d-%m-%y_%H:%m`".log
who i am
clear



ls -l mon.sh
-rwsr-sr-x   1 root     other         72 Oct  5 11:20 mon.sh


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12230455
AFAIK Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
I'm not shure for FreeBSD.

a discussion can be read at http://www.experts-exchange.com/t/Q_20225050.html

On Solaris you can use ndd, IIRC there is a switch to allow SUID scripts (sorry can't remember), and there is a trick using /dev/fd instead of the hashbang mechanism, can't remember too ('cause I'm security paranoid:)
0
 
LVL 48

Expert Comment

by:Tintin
ID: 12230611
Solaris (and a lot of other Unix flavours) don't allow SUID scripts.

sudo still seems like the most sensible answer.
0
 
LVL 62

Accepted Solution

by:
gheist earned 1000 total points
ID: 12256217
script /"`date`".log
who i am
clear


ths does not require sudo or whatever, though sudo is great tool

just use group writable log file, or use date | loggger, to have general-purpose syslog to be used for logging.

0
 
LVL 62

Expert Comment

by:gheist
ID: 12256231
some systems do not like setuid script files, so sudo should be used when adjusting script to run with normal privilege is not an option
0
 

Author Comment

by:nilehawk
ID: 12270103
Dear all thank you for your help
liddler thank you for your comments, I used chmod and chown but still don’t have permission. I think ahoffmann is correct Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
 
gheist give us the correct answer, we don’t have to reinvent the weal. I will use syslog thank you
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question