topic Re: need to execute a script as root in Operating System - HP-UX

need to execute a script as root

Bill Costigan — Fri, 28 Jul 2006 22:35:27 GMT

Is there some way the I could allow a non-root user to execute a script and have the script executed as root?

I have a script that works if I run it as root but not as another user.

The real script actually runs on another server so a solution that would allow a non-root user on system1 to 'remsh -l root system2 script.sh' would be just as good.

Thanks

Re: need to execute a script as root

A. Clay Stephenson — Fri, 28 Jul 2006 22:47:13 GMT

I would never allow them on any box that I am responsible for but yes, you can set the setuid bit on a script and if the file is owned by root it can execute as root.

e.g.
chown root dangerous.sh
chmod 4550 dangerous.sh

You have to be very careful when such scripts are crafted because they are a security hole one could drive a truck through.

A much better alternative is to non set the setuid bit and let the script be run under sudo -- also sudo will automatically log the activity. You still need to be careful than no one can alter the script.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/

Re: need to execute a script as root

inventsekar_1 — Sat, 29 Jul 2006 00:09:57 GMT

Hi Bill,
sudo is the good solution.

To download it:
from the Porting And Archive Centre for HP-UX
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.8p9/

http://www.courtesan.com/sudo/download.html

wikipedia:
http://en.wikipedia.org/wiki/Sudo

Sudo Manual:
http://www.courtesan.com/sudo/man/sudo.html
Sudo main page:
http://www.courtesan.com/sudo/

Re: need to execute a script as root

James R. Ferguson — Sat, 29 Jul 2006 07:51:50 GMT

Hi Bill:

In addition to using 'sudo', in lieu of setting the setuid bit on a script, you can create a C wrapper that holds the setuid setting and simply 'exec's your script. This is safer than directly running setuid scripts.

In fact, on 11.23 you can control whether or not setuid scripts can be run at all. (Some flavors of Unix don't allow them under any conditions.)

By default on 11.23, the kernel parameter 'secure_sid_scripts' is set to one (1) which prevents simple setuid scripts from running. See here for more details:

http://docs.hp.com/en/B2355-60105/secure_sid_scripts.5.html

Regards!

...JRF...

Re: need to execute a script as root

Bill Costigan — Sat, 29 Jul 2006 09:45:02 GMT

Thank you all.

I know this is a security hole. I need to run SAP's brbackup as the oracle user and I need the brbackup to call my script to create volume groups and such. As it is, brbackup was calling my scripr as the oracle user and that didn't work too well.