HPE Community
Operating System - HP-UX
1833540 Members
2762 Online
110061 Solutions
New Discussion

scrip to set root "at job"

 
romano r
Frequent Advisor

‎08-04-2005 01:22 AM

‎08-04-2005 01:22 AM

scrip to set root "at job"

hello,
I need to create a script to set an "at job" to root from any user who run the script. I set SUID as:
-rwsrwx--- 1 root users mostra
but the "at" command refer to the user queue and not to root one. Even if in the script I insert "at -l" it show just the user queue and not all "at jobs":
> cat mostra
#!/usr/bin/sh
/usr/bin/at -l

Thank you!
romano
0 Kudos
Reply
6 REPLIES 6
Steve Steel
Honored Contributor

‎08-04-2005 01:50 AM

‎08-04-2005 01:50 AM

Re: scrip to set root "at job"

Hi


Put a job for oot in crontab that runs every 10 minutes or so . Looks in a directory and runs anything it finds there before removing it.

Then users just put the job in roots in box and root runs it.

1)Directory with write for all.

2)1 script run by cron

find directory > /tmp/todoscripts
cat /tmp/todoscripts|while read line
do
chmod 777 $line
echo $line|at now
sleep 30
done
cat /tmp/todoscripts|while read line
do
/bin/rm $line
done


Your scripts could just be at commands

Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Andrew Merritt_2
Honored Contributor

‎08-04-2005 02:04 AM

‎08-04-2005 02:04 AM

Re: scrip to set root "at job"

I'm not quite clear exactly what you're asking for; are you asking for a way for any user to run a script as root?

Unless I'm missing something, it seems to me that Steve's suggestion would be opening the system wide open to any malicious or even just careless user to do untold damage to the system, and then removes the evidence.

If what you're asking for is the same thing, I think you should look for a different way of doing this.

Andrew
0 Kudos
Reply
RAC_1
Honored Contributor

‎08-04-2005 02:08 AM

‎08-04-2005 02:08 AM

Re: scrip to set root "at job"

Shouldn't you be using at -l "user_name"
There is no substitute to HARDWORK
0 Kudos
Reply
Kent Ostby
Honored Contributor

‎08-04-2005 02:34 AM

‎08-04-2005 02:34 AM

Re: scrip to set root "at job"

RAC --

at -l should list all jobs if not followed with a user.

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
romano r
Frequent Advisor

‎08-04-2005 02:49 AM

‎08-04-2005 02:49 AM

Re: scrip to set root "at job"

Thank you for your answers!
I quite agree the Steve's proposal, probably he matched what I'm looking to do.

My need Is has twice aspects:
1) There is a scrip1 run by each user enabled to set an "at job" in queue "g" for script2 with root privileges (this works).
2) script1 must check how many (total)script2 are in the queue "g" in order to avoid an overhead caused by too many script2. This does not work because each user can see only its jobs of queue "g" even if script1 has SUID of root (only root can see all the jobs of all users of a queue).

HTH
thank you
0 Kudos
Reply
Marvin Strong
Honored Contributor

‎08-04-2005 03:14 AM

‎08-04-2005 03:14 AM

Re: scrip to set root "at job"

I have to chime in here. Just running files with at, from root within a directory, is asking for trouble. especially if you use 777 permissions you will be allowing anyone to do anything they want as root on this system.

example:
a user could copy any shell, set suid, chown it to root and have a root shell whenever they want. Of course they wouldnt need to do this because they can do anything as root anyway.

another example:
cd /dir
rm -rf *
lets say /dir doesn't exist because of a typo. Hope you have good backups.

those are just two examples.

My question would be why do so many of your users need to run things as root? there should be very little need for a user to run as root.

Its your system to maintain, but you certainly opening up the system to be exploited.

And well it would never pass a security audit from my standpoint.

If your users need to do specific things as root, you would be better off setting up sudo for the commands they need to use. At least then you can track who did what.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.