Bash script as root problem
William Scott Lockwood III
vladinator at gmail.com
Sat Mar 16 22:35:30 UTC 2013
On Sat, Mar 16, 2013 at 5:23 PM, Johnny Rosenberg
<gurus.knugum at gmail.com> wrote:
> 2013/3/16 Amichai Rotman <amichai at iglu.org.il>:
>> Maybe by tweaking sudo: create a user, add it to sudoers and allow him to
>> run only the commands you want.
>
> I'm not sure how that is going to solve the problem, but maybe that's
> because I am not very good at this.
>
> This is what my problem looks like:
>
> MyScript.sh:
> #!/bin/bash
>
> Command_0
> Command_1
> Command_2
> Command_3
> Command_4
> Command_5
> Command_6
> Command_7
> Command_8
> Command_9
> # End of script
>
> Run the script:
> sudo ./MyScript.sh
>
> Now all of the ten commands runs as root, right?
> But let's assume that I want Command_7 to run as user.
> Like this:
> MyScript.sh:
> #!/bin/bash
>
> sudo Command_0
> sudo Command_1
> sudo Command_2
> sudo Command_3
> sudo Command_4
> sudo Command_5
> sudo Command_6
> Command_7
> sudo Command_8
> sudo Command_9
> # End of script
>
> Run the script:
> ./MyScript.sh
>
> I heard somewhere, though, that running commands with sudo in a script
> is not the recommended way to do it. So I guess I need something like
> this (written in some kind of pseudo code):
> MyScript.sh:
> #!/bin/bash
>
> Command_0
> Command_1
> Command_2
> Command_3
> Command_4
> Command_5
> Command_6
> sudonot Command_7 # don't run this command as root
> Command_8
> Command_9
> # End of script
>
> Run the script:
> sudo ./MyScript.sh
>
>
> Johnny Rosenberg
>
>>
>> Amichai.
>>
>> Sent from my Android Smartphone
>>
>> On Mar 16, 2013 11:35 PM, "Johnny Rosenberg" <gurus.knugum at gmail.com> wrote:
>>>
>>> I have a bash script that I am going to run as root (sudo
>>> script_name), but in that script there is a line that I want to be
>>> executed as a regular user. Is that possible or do I need to do it the
>>> other way around, that is enter sudo at the beginning of every line
>>> except the one that I need to be run as a user?
>>>
>>>
>>> Johnny Rosenberg
>>>
>>> --
>>> ubuntu-users mailing list
>>> ubuntu-users at lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
There is nothing wrong with having sudo in a script. Just make sure
it's not running as YOU, and that the only things it has permission to
run with sudo are what you have defined in the script, and always call
those things by absolute path. So, for example if user walle has
permissions via sudoers to run importantscript1, make sure of two
things: That it is specified by absolute path in the sudoers file (and
that you call it that way), and that the script is locked down such
that user walle can't edit it. Then you can set up cron jobs to allow
walle to run certain maintenance jobs for you without the risk that an
attacker will put a script in walle's path before the location of the
script, but with the same name, who's whole job is the give the
attacker unrestricted root. Thus, walle can be allowed to run sudo as
root without a password and without giving away the keys to the box.
--
W. Scott Lockwood III
"There are four boxes to be used in defense of liberty: soap, ballot,
jury, and ammo. Please use in that order." -Ed Howdershelt (Author)
More information about the ubuntu-users
mailing list