Run script as root at login (no sudoer user, shell session)

14,965

Solution 1

Just to go back to the sudoers method, I think you were almost there before you gave up. Looking at your latest comments, I'd just like to address something that will probably fix things for you:

If you run a script as root, you don't need to call sudo from within it.

I have a script like this:

#! /bin/bash

echo $USER
whoami

If I run sudo ./myscript I see root returned for both those. The session that script is running in is a root shell.

In short that means that everything you do in your script already has root permissions. You don't need to call sudo (not that it should hurt - root usually has sudo permissions).

So write your script, chown it to root and chmod it to 700 (so only root can run, read, or edit it) and then just allow your user[s] to run it through sudoers. That should work.

If it's not working, it's likely a bigger issue with the script, not the permissions framework. I'd suggest giving a user full sudo access (adding to admin group is the easiest way) and then running your script.

Solution 2

Step 1. create a script with the bind command using any editor. For example:

sudo emacs bind_user_directories.sh

contents:

#!/bin/bash

#NOTE: this file would be placed in /usr/local/sbin/ folder as bind_user_directories.sh
#alternatively it could be placed in /etc/init.d/ ... (I guess)

### BEGIN INIT INFO
# Provides:          bind_user_directories
# Required-Start:    
# Required-Stop:     
# Should-Start:      $named
# Default-Start:     0 2 3 4 5 6 (I guess...)
# Default-Stop:      1
# Short-Description: mount --bind for a user
# Description:       runs mount --bind command for certain pre-defined directories for a specific user
### END INIT INFO

# What is this?
DESC="bind_user_directories"

# See how we were called.
case "$1" in

    start)
        log_progress_msg "bind directories for user..."
        sudo mount --bind /source/path /target/path
        log_progress_msg "done: bind directories for user"
        ;;

    stop)
        log_progress_msg "umount --bind directories for user..."
        sudo umount /target/path
        log_progress_msg "done: unbind directories for user"
        ;;

    restart)
        $0 stop
        sleep 1
        $0 start
        ;;

    *)
        #log_success_msg "Usage: bind_user_directories {start|stop|restart}"
        log_success_msg "Usage: service bind_user_directories <start|stop|restart>"
        exit 1
        ;;
esac

exit 0

Step 2. save bind_user_directories.sh and make it executable:

chmod a+x bind_user_directories.sh

Step 3. link it to a suitable location such as /usr/local/sbin:

sudo ln -s bind_user_directories.sh /usr/local/sbin/bind_user_directories.sh

Step 4. create the upstart script:

sudo emacs /etc/init/bind_user_directories.conf

contents:

description "runs mount --bind command for certain pre-defined directories for a specific user"

start on filesystem and net-device-up IFACE!=lo

stop on runlevel [!023456]
console output
respawn
respawn limit 10 5

exec /usr/local/sbin/bind_user_directories.sh start

If this works for you, please let me know. You can check system log for messages after logging in. (I didn't test it yet and I have never implemented anything like this before.) If you improve to the solution, please share your final solution here. Thanks.

14,965

Antonio Sánchez

Updated on September 18, 2022

Comments

Antonio Sánchez over 1 year

Much like /etc/profile and ~/.profile but ran by root instead of the user is doing login. /etc/rc.local runs after boot but I need running the script before login. The user is not a sudoer one.

Thanks!
- Eliah Kagan over 12 years
  
  There may be a way to do this, but it wouldn't be like /etc/profile or ~/.profile because running code in those scripts is done by the user's shell and is subject to control of the user, whereas if you don't want the user to have the power to run programs as root themselves, then this will have to be done by some running service external to the user's processes. ...It might help if you could tell us the purpose of the script you want to run.
- Antonio Sánchez over 12 years
  
  I need to perform one specific (--bind) mount for one specific user. I have tried fstab with owner and user options, but it does not work. /etc/rc.local is one option but it always performs the mount whether the user logs in or not. I have currently granted sudoer privileges for 'mount' to the user, but this is a workaround and don't like granting any privileges to standard users. I think I will use rc.local instead. Thanks!
- enzotib over 12 years
  
  You could create a root script with only that particular mount command, and give to the user the privilege to run only that script (configuring /etc/sudoers). A command with given options can be set directly in sudoers.
- Antonio Sánchez over 12 years
  
  I have already tried that way. The thing is that when the time comes for running 'mount' inside the script, again 'sudo' is mandatory, because the script is ran by 'user' and not by 'root', so at the end of the day 'mount' must be granted too for 'user' and instead of just one only sudoers rule now I have two. This is my experience, so please, bear in mind tha I'm not an expert and maybe I have done something wrong. Thanks!
Eliah Kagan over 12 years

But what Antonio Sánchez is looking for is how to make a script run as root at the time a particular user logs in.
Antonio Sánchez over 12 years

The script must run independently the session is graphic or standard shell. I have updated the title to remark this. I have read something about Upstart, but it looks complicated for the (apparently) simple task it is. Anyway and up to now Upstart seems to be the only way to do it. If you know Upstart, would it be difficult to learn enough as to get this job done? Thanks!
Adam Ryczkowski about 10 years

Yes, it works! It is a great alternative to the mdms /etc/mdm/PostLogin/ scripts in Ubuntu's world!!
Adam Ryczkowski over 7 years

Do you have any similar solution in systemd?... Cf. askubuntu.com/questions/847930/…