8

I have a bash script that needs to run with root privileges, but must be invoked by the normal user.

Difficult part is that the script should not ask for a password, and I don't want to use the sudoers file. I'd like to avoid using sudo or su.

Is this possible?

Michael Mrozek
  • 93,103
  • 40
  • 240
  • 233
Stefan
  • 25,300

2 Answers2

9

If it wasn't a bash script but a regular application, you would give ownership of it to root and set the setuid bit on the application. Then upon execution, the effective user the application is running under is root. Due to security concerns however this is in many systems prohibited for shell scripts. This question here on unix.stackexchange.com does handle ways how to overcome this.

Community
  • 1
fschmitt
  • 8,790
  • Nice, I was just posting a link to that. Hemant's answer is a good solution – Michael Mrozek Oct 08 '10 at 07:51
  • Would Ruby count as a shell script? – Stefan Oct 08 '10 at 07:52
  • 1
    @Stefan Yes, anything that gets run through an interpreter does, because it's not the script itself that gets run, it's the ruby interpreter, which isn't setuid. You need an actual binary to use setuid – Michael Mrozek Oct 08 '10 at 07:53
  • 2
    I wish I could vote this down, but unfortunately I lack 25 reputation points. Letting normal users run a bash script as root is a VERY BAD idea, unless you know exactly what you're doing (and if you have to ask how to do it, you don't). If the OP posted his script here, I'd probably find at least 3 ways to exploit it. There is a reason almost all distributions make this hard. – Kim Oct 08 '10 at 08:54
  • One of the main principles of Unix is: "Give the user any opportunity to shoot himself in the foot" :-) – fschmitt Oct 08 '10 at 09:25
  • @MichaelMrozek Hermant's answer is a good solution, providing you don't mind giving everybody access to the root account. If you want to do that, then you might as well save yourself the trouble and give them the root password. – Gilles 'SO- stop being evil' Oct 16 '13 at 19:37
1

Use sudo. If you don't want to have to call sudo /path/to/myscript, write a one-line wrapper exec sudo /path/to/myscript "$@". See Allow setuid on shell scripts, particularly Maciej Piechotka's answer on using sudo and my more general discussion of setuid programs.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060