Link to home
Start Free TrialLog in
Avatar of nilehawk
nilehawkFlag for Egypt

asked on

How can I run script with root privileges?

How can I run script with root privileges?
How can I make a script that any user can run it? This script makes log files that stored on the root volume [no one of the user can read it more modified these logs]
I don’t want to use su command inside the script as I store the current user info inside these log files

thank you
Avatar of liddler
liddler
Flag of Ireland image

I'm not entirely sure what you are after, I think the application you want is sudo
http://www.courtesan.com/sudo/
This allows non root users to run commands with elevated privilidges.
If you can be more specific  - Unix version, exaclt how you are interacting with the logs etc
Avatar of nilehawk

ASKER

Hi
My UNIX is Solaris 8 and/or freeBSD
My script is added to the user profile for monitoring  
My script is simple:

script /"`date`".log
who i am
clear


thank you
once you have created you script, you need to set the setuid bit (the sticky bit)
chmod a+s my_script
This sets the effective UID for that script to root, but will not allow the user to delete / edit the log file
whoa rather than allow users to run the logging application as root (which is a security mine field) a better solution would be to change the access permission where the data is written to.
look into what you can do with syslog maybe pipe the output to another sever
http://www.gentoo.org/doc/en/gentoo-security.xml I konw you dont run gentoo or linux but there is an excellent section on logging and its a good security document
paranoidcookie, I think the issue is allowing the user to create and write to a file from a given script, but not be able to remove / modify them.  I agree that setuid flags can be a security issue.

I seem to remember reading about freeBSD having an append only mode for log files, specifically for this kind of thing, but I've never used it...
I read it in Andrew Lockhart's excellent Network Security Hacks (http://www.amazon.co.uk/exec/obidos/ASIN/0596006438/qid=1096902875/ref=sr_8_xs_ap_i1_xgl/026-5326540-2508456)
I understand that I am just urging that he dosnt replace one security hole with another.
;-)
Good point, it always helps to be paranoid
Hi  liddler

I already try the setuid bit (the sticky bit) chmod a+s mon.ssh before posting my question
But when I run it as a user I got permission denied error message. so can i do?

Hi paranoidcookie

I want to user to run the script as root so that they can’t delete their log [if they are doing something wrong and do not want to be tracked]
I think there will be no security hole as the script will be invisible to the users.
I think youll find simply having setuid programs on the system is a security hole, you would be much better advised to plug into one of the existing logging systems then to reinvent the wheel and write your own potencially unsecure one.
OK,
File must be owned by root
chown root mon.sh
then
chmod a+s mon.sh

also you need the shell at the beginning of the script.

Also I'd tidy up the date format, your's has spaces in it, not easy to housekeep..
..Also, try not to put log file in /, you never want to fill that disk, the standard is to use /var
So this worked for me:

#!/usr/bin/ksh
script /var/"`date +%d-%m-%y_%H:%m`".log
who i am
clear



ls -l mon.sh
-rwsr-sr-x   1 root     other         72 Oct  5 11:20 mon.sh


AFAIK Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
I'm not shure for FreeBSD.

a discussion can be read at https://www.experts-exchange.com/questions/20225050/starting-and-stopping-tcp.html

On Solaris you can use ndd, IIRC there is a switch to allow SUID scripts (sorry can't remember), and there is a trick using /dev/fd instead of the hashbang mechanism, can't remember too ('cause I'm security paranoid:)
Avatar of Tintin
Tintin

Solaris (and a lot of other Unix flavours) don't allow SUID scripts.

sudo still seems like the most sensible answer.
ASKER CERTIFIED SOLUTION
Avatar of gheist
gheist
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
some systems do not like setuid script files, so sudo should be used when adjusting script to run with normal privilege is not an option
Dear all thank you for your help
liddler thank you for your comments, I used chmod and chown but still don’t have permission. I think ahoffmann is correct Solaris no longer allows SUID-root scripts, just SUID-binaries, for security reasons.
 
gheist give us the correct answer, we don’t have to reinvent the weal. I will use syslog thank you