ubuntu: let a user run a script with root permissions
Solution 1
If this was a normal binary, you could setuid by running
# chmod u+s /path/to/binary
Unfortunately, scripts can't be setuid. (Well you can, but it's ignored). The reason for this is that the first line of the script tells the OS what interpreter to run the script under. For example if you had a script with:
#!/bin/bash
You'd actually end up running
/bin/bash /path/to/script
Obviously, you'd need the interpreter to be setuid, which would then mean all scripts would be setuid. This would be bad.
You can do this with sudo by putting the following in your /etc/sudoers file by running visudo.
ALL ALL=NOPASSWD: /path/to/script
And now any user can run
$ sudo /path/to/script
This allows them to run the script without typing in their password.
There is an alternative that doesn't require sudo in the command, which requires creating a small setuided binary that execs your script, but every additional setuid binary adds another potential security problem.
Solution 2
I needed to insert that line AT THE END of /etc/sudoers : ALL ALL = NOPASSWD: <filename>
Apparently, a later %admin ALL=(ALL) ALL
override required a password for admin users.
There is no security problem allowing a script to be run as root as long as the script does a well determined, harmless, allowed action and, if values for any parameters cannot cause the script to misbehave.
But there is a gotcha...
Always use full paths in command and file names.
If you write something like echo Hello world!
in myrootscript
,
someone might write a ~/bin/echo script
and myrootscript
would execute as root whatever is in it.
/bin/echo "Hoping this will keep you safe"
:-)
Solution 3
By default, members of the wheel
group are permitted to sudo
any command as root
. This is probably how you are using sudo
to date.
To permit another user you will need to create a sudoers
rule. For example:
mickey.mouse ALL = (root) NOPASSWD: /usr/local/bin/test.sh
Will allow the user mickey.mouse
to run the command /usr/local/bin/test.sh
as root
without requiring an additional password prompt.
You should read this document for more information.
Related videos on Youtube
flybywire
Updated on September 17, 2022Comments
-
flybywire over 1 year
I have ubuntu 8.04 and I want to write a bash script that runs as
root
which every user can run.I myself can do sudo.
How do I do that?
CLARIFICATION: I don't want to do it with sudo, because then users will have to type their password. I just want them to run the script as root, perhaps something setuid, dunno.
-
David Pashley over 14 yearsDebian/Ubuntu use the admin group rather than wheel. It's possibly a slightly more accurate name.
-
Dan Carley over 14 yearsCall me old fashioned, but.. ;)
-
David Pashley over 14 yearsold fashioned :P
-
flybywire over 14 yearsI think this is the answer I was looking for. Can't I setuid a bash script, only a binary? (Of course, I would take measures to make it uneditable)
-
wfaulk over 14 yearsNo, you cannot make a script setuid.
-
Kyle Brandt over 14 yearswfaulk: You used to be able to, but most recent Linux distros do not allow it anymore. You can use a tool like shc to 'compile' the script, and then make it setuid.
-
Kyle Brandt over 14 yearswfaulk: Of course, that would be going out of your way to do something that is intentionally disabled, so it is probably a bad idea :-)
-
hdave about 11 yearsif it is possible for a non-root user on the machine to edit that script then it is possible for that user to take over the machine. If that same user has a weak password then nothing is keeping your machine from being totally compromised.
-
hdave about 11 yearsReplace the term
ALL
with a user name to allow just that one sudoer to be able to run without entering a password.