Can I make a script always execute as root?
Solution 1
Be really careful: scripts combined with setuid are dangerous!
First, please have a look on this question/answers, especially on this answer and security warning.
If you still want to execute your script with setuid
set, then you can write a short C program as wrapper and set the setuid
bit on the compiled binary.
Wrapper example:
int main(void) {
setuid(0);
clearenv();
system("/absolute/path/to/your/script.sh");
}
Another solution using sudo
(mentioned here):
-
As root, prevent write (and maybe other) access to your script:
chown root /absolute/path/to/your/script.sh chmod 700 /absolute/path/to/your/script.sh
-
Verify that noone except root can replace the script, e.g. by modifying the access rights of the parent folder:
chown root /absolute/path/to/your/ chmod 755 /absolute/path/to/your/
-
Modify sudo access rights in
/etc/sudoers
withvisudo
:ALL ALL = (root) NOPASSWD: /absolute/path/to/your/script.sh
More details about the settings (e.g. restricting access to specific users or groups) can be found in the sudoers manpage.
Afterwards, all users can run the script as root without password:
sudo /absolute/path/to/your/script.sh
This is similar to using the wrapper/setuid solution above.
Solution 2
Easiest and safest way is to use SETUID bits in file permissions. that way command permissions will be elevated to file owner permissions.
to prevent script from edition do not set write for everyone bits.
Related videos on Youtube
HappyDeveloper
Updated on September 18, 2022Comments
-
HappyDeveloper over 1 year
How to make a script execute as root, no matter who executes it?
I read about setuid but I'm not sure how to do this.
I'm using Linux, Ubuntu 12.04 LTS.
-
HappyDeveloper almost 12 years@slhck Linux, Ubuntu 12
-
slhck almost 12 years
setuid
won't work on scripts — it's disabled for security reasons on most *nix distributions these days. You can set it, but it'll be ignored. Maybe you can explain more about your actual problem so we can help you solve this instead? What script is it? Why do you need it to be executed as root? Is usingsudo
an alternative? -
Nam Phung almost 12 yearsHave you tried
sudo -s
?
-
-
Stephanie almost 12 yearsThe specific dangers aren't very obvious, but they revolve heavily around the environment. Unlike most programs, a shell script's behavior can be changed significantly by dozens of environment variables, enough so that without extensive safeguards, such a script can easily be tricked into executing arbitrary code.
-
Stephanie almost 12 yearsYou should add a call to clearenv() before the system call in that wrapper, completely blowing away the environment so that no evil settings are around to manipulate the script. kernel.org/doc/man-pages/online/pages/man3/clearenv.3.html
-
HappyDeveloper almost 12 years@Stephanie I must be doing something wrong, because all this looks too crazy for a common task. This is what I'm trying to do: serverfault.com/questions/401405/…
-
Stephanie almost 12 years@HappyDeveloper Not too crazy for a setuid script, since a poorly secured one is a path to root for anyone that manages to run it.
-
jjlin almost 12 years
sudo
can be used to give all users access to a particular program (or script). In that sense, it acts as a fancy setuid wrapper. It seems like that would typically be a better choice than writing your own setuid wrapper. -
speakr almost 12 years@HappyDeveloper You are just removing the sudo password when used with that specific script. Other commands are not affected. Also, you can specify ALL as user alias to allow all users access to run the script. I modified my answer accordingly.
-
John over 3 years@speakr It seems not work on Ubuntu.
setuid(0)
returns -1. -
speakr over 3 years@John I just tried it on Ubuntu and it works as expected. Did you set the setuid bit on the binary and did you chown the binary to root?