ubuntu: let a user run a script with root permissions
I have ubuntu 8.04 and I want to write a bash script that runs as root
which every user can run.
I myself can do sudo.
How do I do that?
CLARIFICATION: I don't want to do it with sudo, because then users will have to type their password. I just want them to run the script as root, perhaps something setuid, dunno.
Solution 1:
If this was a normal binary, you could setuid by running
# chmod u+s /path/to/binary
Unfortunately, scripts can't be setuid. (Well you can, but it's ignored). The reason for this is that the first line of the script tells the OS what interpreter to run the script under. For example if you had a script with:
#!/bin/bash
You'd actually end up running
/bin/bash /path/to/script
Obviously, you'd need the interpreter to be setuid, which would then mean all scripts would be setuid. This would be bad.
You can do this with sudo by putting the following in your /etc/sudoers file by running visudo.
ALL ALL=NOPASSWD: /path/to/script
And now any user can run
$ sudo /path/to/script
This allows them to run the script without typing in their password.
There is an alternative that doesn't require sudo in the command, which requires creating a small setuided binary that execs your script, but every additional setuid binary adds another potential security problem.
Solution 2:
I needed to insert that line AT THE END of /etc/sudoers : ALL ALL = NOPASSWD: <filename>
Apparently, a later %admin ALL=(ALL) ALL
override required a password for admin users.
There is no security problem allowing a script to be run as root as long as the script does a well determined, harmless, allowed action and, if values for any parameters cannot cause the script to misbehave.
But there is a gotcha...
Always use full paths in command and file names.
If you write something like echo Hello world!
in myrootscript
,
someone might write a ~/bin/echo script
and myrootscript
would execute as root whatever is in it.
/bin/echo "Hoping this will keep you safe"
:-)
Solution 3:
By default, members of the wheel
group are permitted to sudo
any command as root
. This is probably how you are using sudo
to date.
To permit another user you will need to create a sudoers
rule. For example:
mickey.mouse ALL = (root) NOPASSWD: /usr/local/bin/test.sh
Will allow the user mickey.mouse
to run the command /usr/local/bin/test.sh
as root
without requiring an additional password prompt.
You should read this document for more information.