Operating System - HP-UX
1834285 Members
2237 Online
110066 Solutions
New Discussion

need to execute a script as root

 
SOLVED
Go to solution
Bill Costigan
Honored Contributor

need to execute a script as root

Is there some way the I could allow a non-root user to execute a script and have the script executed as root?

I have a script that works if I run it as root but not as another user.

The real script actually runs on another server so a solution that would allow a non-root user on system1 to 'remsh -l root system2 script.sh' would be just as good.

Thanks
4 REPLIES 4
A. Clay Stephenson
Acclaimed Contributor
Solution

Re: need to execute a script as root

I would never allow them on any box that I am responsible for but yes, you can set the setuid bit on a script and if the file is owned by root it can execute as root.

e.g.
chown root dangerous.sh
chmod 4550 dangerous.sh

You have to be very careful when such scripts are crafted because they are a security hole one could drive a truck through.

A much better alternative is to non set the setuid bit and let the script be run under sudo -- also sudo will automatically log the activity. You still need to be careful than no one can alter the script.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/
If it ain't broke, I can fix that.
inventsekar_1
Respected Contributor

Re: need to execute a script as root

Hi Bill,
sudo is the good solution.

To download it:
from the Porting And Archive Centre for HP-UX
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.8p9/

http://www.courtesan.com/sudo/download.html

wikipedia:
http://en.wikipedia.org/wiki/Sudo

Sudo Manual:
http://www.courtesan.com/sudo/man/sudo.html
Sudo main page:
http://www.courtesan.com/sudo/
Be Tomorrow, Today.
James R. Ferguson
Acclaimed Contributor

Re: need to execute a script as root

Hi Bill:

In addition to using 'sudo', in lieu of setting the setuid bit on a script, you can create a C wrapper that holds the setuid setting and simply 'exec's your script. This is safer than directly running setuid scripts.

In fact, on 11.23 you can control whether or not setuid scripts can be run at all. (Some flavors of Unix don't allow them under any conditions.)

By default on 11.23, the kernel parameter 'secure_sid_scripts' is set to one (1) which prevents simple setuid scripts from running. See here for more details:

http://docs.hp.com/en/B2355-60105/secure_sid_scripts.5.html

Regards!

...JRF...
Bill Costigan
Honored Contributor

Re: need to execute a script as root

Thank you all.

I know this is a security hole. I need to run SAP's brbackup as the oracle user and I need the brbackup to call my script to create volume groups and such. As it is, brbackup was calling my scripr as the oracle user and that didn't work too well.