topic Re: run script as root in Operating System - HP-UX

run script as root

Jim Mickens — Mon, 20 Aug 2001 19:10:57 GMT

I have a script that my users can use to move their completed job files to an online archive area for holding. We were having trouble with some of the files being moved due to priveleges, so I added a command to change the priv of all the files in the directory. Now the problem is not all the files belong to the same user, so unless the person running the script owns all the files, they can't change the priv. settings. Is there any way to set up the script so that it runs as if it was being run by root, but so that any user can run the script?

Re: run script as root

Jerry Zhang — Mon, 20 Aug 2001 19:24:38 GMT

You can use SUID on the script, so that any user can run it as the owner. For example,

# ll test
-rwxr-xr-x 1 root sys ... test

# chmod 4755 test
# ll test
-rwsr-xr-x 1 root sys ... test

Hope it helps.

Re: run script as root

Mladen Despic — Mon, 20 Aug 2001 19:28:04 GMT

Hi Jim,

If it is acceptable to your users, I would set up a cron job by root that would run your script at certain times on a regular basis.

Regards ... Mladen

Re: run script as root

linuxfan — Mon, 20 Aug 2001 19:29:43 GMT

Hi Jim,

you can use "sudo". You can set it up such that regular users can run scripts/commands as other users/root without having suid/sgid scripts and also it logs all the commands run.

You can download the source from
ftp://ftp.courtesan.com/pub/sudo
or download sudo in swinstall format from
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.2b1/

-HTH
Ramesh

Re: run script as root

Jim Mickens — Mon, 20 Aug 2001 19:32:59 GMT

The SUID did the trick. I think the script used to be that way, but somehow got turned off recently. My users started reporting that the script didn't work a couple of weeks ago. Lord knows how long it didn't work before they started telling me.

Re: run script as root

Thierry Poels_1 — Mon, 20 Aug 2001 19:33:16 GMT

hi,

chmod u+s has NO effect on shell scripts !!

so, other options:
- write a little C-program to do your stuff (possibly by only using host commands) and "chmod u+s" the executable file.
- use sudo
- launch the script from root's crontab every n minutes
- ...

good luck,
Thierry.

Re: run script as root

Deshpande Prashant — Mon, 20 Aug 2001 19:33:26 GMT

Hi
Try setting SUID bit on the script to be run as root or other user id.
-rws-r-xr-x 1 root users 18667 Aug 26 2000 check-lg-space.ksh
Everybody will be able to run above script as root.

-rws-r-xr-- 1 dmcapp1 users 18667 Aug 26 2000 start-dm-app.ksh
Members of users group will be able to run above script as user dmcapp1.

Prashant.

Re: run script as root

Sridhar Bhaskarla — Tue, 21 Aug 2001 01:47:12 GMT

I wonder suid bit will work for the scripts. You can write a small c program and embed the script in it.

main ()
{
system ("your_script_name");
}

Compile and give suid to the executable.

SUID on script won't work.

-Sri

Re: run script as root

Thierry Poels_1 — Tue, 21 Aug 2001 06:02:14 GMT

hi,
however you can actually execute "chmod +s" on any file, and see its result with ll : "rws------" : a shell script will NOT be influenced by the set owner bit, it will still be executed by the executing user, not by the owner of the file. I agree with Sridhar on this.
regards,
Thierry.

Re: run script as root

Darrell Allen — Tue, 21 Aug 2001 13:43:11 GMT

First, be very careful with suid programs and scripts! They can work well but there's a number of security issues involved. If set up without locking down the perms on the files and directories involved, you could leave the system wide open for all kinds of mischievousness as well as for accidental mistakes by your users.

As others have said, suid on a script doesn't work (though I seen different results on different flavors of UNIX). I've included a C program you can modify to call a script and run it as root. The executable will need to be suid but the script itself could have 0 perms.

Also, notice I use setuid(0) within the program. That's because I've had some programs called from a script that didn't work without it even though the suid bit was on the executable.

Though I don't use this anymore, here's how I set it up:

Assuming mis group needs to run "script"

/var/adm/local 550 root:mis
/var/adm/local/src 000 root:sys
/var/adm/local/src/runner.c 000 root:sys
/var/adm/local/bin 010 root:mis
/var/adm/local/bin/runner 4010 root:mis
/var/adm/local/scripts 000 root:sys
/var/adm/local/scripts/script 000 root:sys

As always, use at your own risk.

Darrell

Re: run script as root

Kevin Wright — Tue, 21 Aug 2001 14:17:47 GMT

Occasionally SUID DOES work on scripts..it has worked for me recently, and it apparently worked in this case as well..However, I also have had times when it does NOT work..I don't know the difference, I just know that sometimes it DOES work..

Re: run script as root

Wodisch — Tue, 21 Aug 2001 22:57:25 GMT

Hello Jim,

well, SUID really *does* work on Scripts, BUT you have
to write your scripts in a slighty different way (you
should do all your scripts that way):

- the first line MUST contain the interpreter-path, e.g.:
#!/bin/sh

- the next lines should set the $PATH to *trusted* dirs
only, or you call all commands with absolute paths

- the script should NOT have read-permissions for the
group NOR for the world, but only for the owner

- the script MUST have read and execute and SUID
permission for the owner, but ONLY execute permission
for group and world

HTH,
Wodisch