• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 17344
  • Last Modified:

How can I run script with root privileges?

How can I run script with root privileges?
How can I make a script that any user can run it? This script makes log files that stored on the root volume [no one of the user can read it more modified these logs]
I don’t want to use su command inside the script as I store the current user info inside these log files

thank you
0
nilehawk
Asked:
nilehawk
  • 5
  • 5
  • 3
  • +3
1 Solution
 
liddlerCommented:
I'm not entirely sure what you are after, I think the application you want is sudo
http://www.courtesan.com/sudo/
This allows non root users to run commands with elevated privilidges.
If you can be more specific  - Unix version, exaclt how you are interacting with the logs etc
0
 
nilehawkAuthor Commented:
Hi
My UNIX is Solaris 8 and/or freeBSD
My script is added to the user profile for monitoring  
My script is simple:

script /"`date`".log
who i am
clear


thank you
0
 
liddlerCommented:
once you have created you script, you need to set the setuid bit (the sticky bit)
chmod a+s my_script
This sets the effective UID for that script to root, but will not allow the user to delete / edit the log file
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
paranoidcookieCommented:
whoa rather than allow users to run the logging application as root (which is a security mine field) a better solution would be to change the access permission where the data is written to.
0
 
paranoidcookieCommented:
look into what you can do with syslog maybe pipe the output to another sever
0
 
paranoidcookieCommented:
http://www.gentoo.org/doc/en/gentoo-security.xml I konw you dont run gentoo or linux but there is an excellent section on logging and its a good security document
0
 
liddlerCommented:
paranoidcookie, I think the issue is allowing the user to create and write to a file from a given script, but not be able to remove / modify them.  I agree that setuid flags can be a security issue.

I seem to remember reading about freeBSD having an append only mode for log files, specifically for this kind of thing, but I've never used it...
I read it in Andrew Lockhart's excellent Network Security Hacks (http://www.amazon.co.uk/exec/obidos/ASIN/0596006438/qid=1096902875/ref=sr_8_xs_ap_i1_xgl/026-5326540-2508456)
0
 
paranoidcookieCommented:
I understand that I am just urging that he dosnt replace one security hole with another.
0
 
liddlerCommented:
;-)
Good point, it always helps to be paranoid
0
 
nilehawkAuthor Commented:
Hi  liddler

I already try the setuid bit (the sticky bit) chmod a+s mon.ssh before posting my question
But when I run it as a user I got permission denied error message. so can i do?

Hi paranoidcookie

I want to user to run the script as root so that they can’t delete their log [if they are doing something wrong and do not want to be tracked]
I think there will be no security hole as the script will be invisible to the users.
0
 
paranoidcookieCommented:
I think youll find simply having setuid programs on the system is a security hole, you would be much better advised to plug into one of the existing logging systems then to reinvent the wheel and write your own potencially unsecure one.
0
 
liddlerCommented:
OK,
File must be owned by root
chown root mon.sh
then
chmod a+s mon.sh

also you need the shell at the beginning of the script.

Also I'd tidy up the date format, your's has spaces in it, not easy to housekeep..
..Also, try not to put log file in /, you never want to fill that disk, the standard is to use /var
So this worked for me:

#!/usr/bin/ksh
script /var/"`date +%d-%m-%y_%H:%m`".log
who i am
clear



ls -l mon.sh
-rwsr-sr-x   1 root     other         72 Oct  5 11:20 mon.sh


0
 
ahoffmannCommented:
AFAIK Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
I'm not shure for FreeBSD.

a discussion can be read at http://www.experts-exchange.com/t/Q_20225050.html

On Solaris you can use ndd, IIRC there is a switch to allow SUID scripts (sorry can't remember), and there is a trick using /dev/fd instead of the hashbang mechanism, can't remember too ('cause I'm security paranoid:)
0
 
TintinCommented:
Solaris (and a lot of other Unix flavours) don't allow SUID scripts.

sudo still seems like the most sensible answer.
0
 
gheistCommented:
script /"`date`".log
who i am
clear


ths does not require sudo or whatever, though sudo is great tool

just use group writable log file, or use date | loggger, to have general-purpose syslog to be used for logging.

0
 
gheistCommented:
some systems do not like setuid script files, so sudo should be used when adjusting script to run with normal privilege is not an option
0
 
nilehawkAuthor Commented:
Dear all thank you for your help
liddler thank you for your comments, I used chmod and chown but still don’t have permission. I think ahoffmann is correct Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
 
gheist give us the correct answer, we don’t have to reinvent the weal. I will use syslog thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 5
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now