Solved

How can I run script with root privileges?

Posted on 2004-10-04
17
17,285 Views
Last Modified: 2013-12-04
How can I run script with root privileges?
How can I make a script that any user can run it? This script makes log files that stored on the root volume [no one of the user can read it more modified these logs]
I don’t want to use su command inside the script as I store the current user info inside these log files

thank you
0
Comment
Question by:nilehawk
  • 5
  • 5
  • 3
  • +3
17 Comments
 
LVL 18

Expert Comment

by:liddler
ID: 12217500
I'm not entirely sure what you are after, I think the application you want is sudo
http://www.courtesan.com/sudo/
This allows non root users to run commands with elevated privilidges.
If you can be more specific  - Unix version, exaclt how you are interacting with the logs etc
0
 

Author Comment

by:nilehawk
ID: 12217614
Hi
My UNIX is Solaris 8 and/or freeBSD
My script is added to the user profile for monitoring  
My script is simple:

script /"`date`".log
who i am
clear


thank you
0
 
LVL 18

Expert Comment

by:liddler
ID: 12217702
once you have created you script, you need to set the setuid bit (the sticky bit)
chmod a+s my_script
This sets the effective UID for that script to root, but will not allow the user to delete / edit the log file
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217934
whoa rather than allow users to run the logging application as root (which is a security mine field) a better solution would be to change the access permission where the data is written to.
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217958
look into what you can do with syslog maybe pipe the output to another sever
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12217985
http://www.gentoo.org/doc/en/gentoo-security.xml I konw you dont run gentoo or linux but there is an excellent section on logging and its a good security document
0
 
LVL 18

Expert Comment

by:liddler
ID: 12218043
paranoidcookie, I think the issue is allowing the user to create and write to a file from a given script, but not be able to remove / modify them.  I agree that setuid flags can be a security issue.

I seem to remember reading about freeBSD having an append only mode for log files, specifically for this kind of thing, but I've never used it...
I read it in Andrew Lockhart's excellent Network Security Hacks (http://www.amazon.co.uk/exec/obidos/ASIN/0596006438/qid=1096902875/ref=sr_8_xs_ap_i1_xgl/026-5326540-2508456)
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12218112
I understand that I am just urging that he dosnt replace one security hole with another.
0
 
LVL 18

Expert Comment

by:liddler
ID: 12218252
;-)
Good point, it always helps to be paranoid
0
 

Author Comment

by:nilehawk
ID: 12225172
Hi  liddler

I already try the setuid bit (the sticky bit) chmod a+s mon.ssh before posting my question
But when I run it as a user I got permission denied error message. so can i do?

Hi paranoidcookie

I want to user to run the script as root so that they can’t delete their log [if they are doing something wrong and do not want to be tracked]
I think there will be no security hole as the script will be invisible to the users.
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12225214
I think youll find simply having setuid programs on the system is a security hole, you would be much better advised to plug into one of the existing logging systems then to reinvent the wheel and write your own potencially unsecure one.
0
 
LVL 18

Expert Comment

by:liddler
ID: 12225245
OK,
File must be owned by root
chown root mon.sh
then
chmod a+s mon.sh

also you need the shell at the beginning of the script.

Also I'd tidy up the date format, your's has spaces in it, not easy to housekeep..
..Also, try not to put log file in /, you never want to fill that disk, the standard is to use /var
So this worked for me:

#!/usr/bin/ksh
script /var/"`date +%d-%m-%y_%H:%m`".log
who i am
clear



ls -l mon.sh
-rwsr-sr-x   1 root     other         72 Oct  5 11:20 mon.sh


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12230455
AFAIK Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
I'm not shure for FreeBSD.

a discussion can be read at http://www.experts-exchange.com/t/Q_20225050.html

On Solaris you can use ndd, IIRC there is a switch to allow SUID scripts (sorry can't remember), and there is a trick using /dev/fd instead of the hashbang mechanism, can't remember too ('cause I'm security paranoid:)
0
 
LVL 48

Expert Comment

by:Tintin
ID: 12230611
Solaris (and a lot of other Unix flavours) don't allow SUID scripts.

sudo still seems like the most sensible answer.
0
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 12256217
script /"`date`".log
who i am
clear


ths does not require sudo or whatever, though sudo is great tool

just use group writable log file, or use date | loggger, to have general-purpose syslog to be used for logging.

0
 
LVL 62

Expert Comment

by:gheist
ID: 12256231
some systems do not like setuid script files, so sudo should be used when adjusting script to run with normal privilege is not an option
0
 

Author Comment

by:nilehawk
ID: 12270103
Dear all thank you for your help
liddler thank you for your comments, I used chmod and chown but still don’t have permission. I think ahoffmann is correct Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
 
gheist give us the correct answer, we don’t have to reinvent the weal. I will use syslog thank you
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question