HPE Community
Operating System - HP-UX
1834285 Members
2237 Online
110066 Solutions
New Discussion

need to execute a script as root

 
SOLVED
Go to solution
Bill Costigan
Honored Contributor

‎07-28-2006 03:35 PM

‎07-28-2006 03:35 PM

need to execute a script as root

Is there some way the I could allow a non-root user to execute a script and have the script executed as root?

I have a script that works if I run it as root but not as another user.

The real script actually runs on another server so a solution that would allow a non-root user on system1 to 'remsh -l root system2 script.sh' would be just as good.

Thanks
0 Kudos
4 REPLIES 4
A. Clay Stephenson
Acclaimed Contributor

‎07-28-2006 03:47 PM

‎07-28-2006 03:47 PM

Solution

Re: need to execute a script as root

I would never allow them on any box that I am responsible for but yes, you can set the setuid bit on a script and if the file is owned by root it can execute as root.

e.g.
chown root dangerous.sh
chmod 4550 dangerous.sh

You have to be very careful when such scripts are crafted because they are a security hole one could drive a truck through.

A much better alternative is to non set the setuid bit and let the script be run under sudo -- also sudo will automatically log the activity. You still need to be careful than no one can alter the script.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.8p9/
If it ain't broke, I can fix that.
0 Kudos
inventsekar_1
Respected Contributor

‎07-28-2006 05:09 PM

‎07-28-2006 05:09 PM

Re: need to execute a script as root

Hi Bill,
sudo is the good solution.

To download it:
from the Porting And Archive Centre for HP-UX
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.8p9/

http://www.courtesan.com/sudo/download.html

wikipedia:
http://en.wikipedia.org/wiki/Sudo

Sudo Manual:
http://www.courtesan.com/sudo/man/sudo.html
Sudo main page:
http://www.courtesan.com/sudo/
Be Tomorrow, Today.
0 Kudos
James R. Ferguson
Acclaimed Contributor

‎07-29-2006 12:51 AM

‎07-29-2006 12:51 AM

Re: need to execute a script as root

Hi Bill:

In addition to using 'sudo', in lieu of setting the setuid bit on a script, you can create a C wrapper that holds the setuid setting and simply 'exec's your script. This is safer than directly running setuid scripts.

In fact, on 11.23 you can control whether or not setuid scripts can be run at all. (Some flavors of Unix don't allow them under any conditions.)

By default on 11.23, the kernel parameter 'secure_sid_scripts' is set to one (1) which prevents simple setuid scripts from running. See here for more details:

http://docs.hp.com/en/B2355-60105/secure_sid_scripts.5.html

Regards!

...JRF...
0 Kudos
Bill Costigan
Honored Contributor

‎07-29-2006 02:45 AM

‎07-29-2006 02:45 AM

Re: need to execute a script as root

Thank you all.

I know this is a security hole. I need to run SAP's brbackup as the oracle user and I need the brbackup to call my script to create volume groups and such. As it is, brbackup was calling my scripr as the oracle user and that didn't work too well.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.