ubuntu: let a user run a script with root permissions

root permissions ubuntu sudo

I have ubuntu 8.04 and I want to write a bash script that runs as root which every user can run.

I myself can do sudo.

How do I do that?

CLARIFICATION: I don't want to do it with sudo, because then users will have to type their password. I just want them to run the script as root, perhaps something setuid, dunno.


Solution 1:

If this was a normal binary, you could setuid by running

# chmod u+s /path/to/binary

Unfortunately, scripts can't be setuid. (Well you can, but it's ignored). The reason for this is that the first line of the script tells the OS what interpreter to run the script under. For example if you had a script with:

#!/bin/bash

You'd actually end up running 

/bin/bash /path/to/script

Obviously, you'd need the interpreter to be setuid, which would then mean all scripts would be setuid. This would be bad.

You can do this with sudo by putting the following in your /etc/sudoers file by running visudo.

ALL ALL=NOPASSWD: /path/to/script

And now any user can run

$ sudo /path/to/script

This allows them to run the script without typing in their password.

There is an alternative that doesn't require sudo in the command, which requires creating a small setuided binary that execs your script, but every additional setuid binary adds another potential security problem.

Solution 2:

I needed to insert that line AT THE END of /etc/sudoers : ALL ALL = NOPASSWD: <filename> Apparently, a later %admin ALL=(ALL) ALL override required a password for admin users.

There is no security problem allowing a script to be run as root as long as the script does a well determined, harmless, allowed action and, if values for any parameters cannot cause the script to misbehave.

But there is a gotcha...

Always use full paths in command and file names. If you write something like echo Hello world! in myrootscript, someone might write a ~/bin/echo script and myrootscript would execute as root whatever is in it.

/bin/echo "Hoping this will keep you safe" :-)

Solution 3:

By default, members of the wheel group are permitted to sudo any command as root. This is probably how you are using sudo to date.

To permit another user you will need to create a sudoers rule. For example:

mickey.mouse ALL = (root) NOPASSWD: /usr/local/bin/test.sh

Will allow the user mickey.mouse to run the command /usr/local/bin/test.sh as root without requiring an additional password prompt.

You should read this document for more information.

Related

HowTo redirect HTTP to HTTPS on the same httpd?
/home/vhosts/ or /var/www/
yum-security for CentOS?
How do I set up per-site php.ini files on a LAMP server using NameVirtualHosts?
How do I set a default host for nginx?
How to enable the 2 concurrent (+1 console) sessions on Windows Server 2012
Is iLO safe enough to be hung on the WAN
What is the order group policy settings are applied?
how to filter rsyslog messages by tags
Nginx includes config files not in order?
How can I speed up MSI package install and uninstall?
Mixing disks of different sizes in a Storage Spaces pool