4

I want to run a command that requires sudo, but non-interactively, so typing in a password isn't an option. In my specific case I want to create an automator/shortcut action on my phone to execute this script on my server via an ssh login.

In my case, I want to start a virtual machine with virsh start, which I know I can configure to allow a non-root user to start the machine, but I'm curious about this solution in general, especially in a case where a non-root option isn't available.

I'm also picturing that the unprivileged user only needs to be able to run a single script that I define, not an arbitrary command. In other words, the user simply needs to be able to trigger the script to run - they do not supply any arguments, and even if they found a way to do so the arguments would be ignored.

Also in my case the server is only used by me, and is behind a firewall. It has internet connectivity (In that it can download things), but cannot be accessed from the internet. I either have to be on my LAN or connected via VPN to reach it, and I only expect to use this script while specifically at home. Still - I'm concerned about learning "good practice" here.

The server itself is running Debian Testing. My concern is allowing passwordless sudo seems risky. Is there a better way to do this where a theoretically unprivileged account can trigger a privileged script or command to run? Should I just use a script running as root to monitor for some file to be created every minute or so and have the script just touch that file? Can I create a user who can only sudo that script?

fergu
  • 143
  • There are many different approaches and options available. I see this question as very general, broad, and vague--not a good question for this site. Please clarify and/or do some research to better understand the scope and narrow it down. If you have done so already, please edit your question to tell us what you have researched, tried, and/or what is not suitable or other restrictions. – C. M. Jul 08 '21 at 20:13
  • You say "the unprivileged user only needs to be able to run a single script" and "they do not supply any argument" - this is the safest way of using sudo, of doing what you want. – cas Jul 09 '21 at 04:56
  • The only thing to add to that is that the script run as root should do as little as possible. If there's a lot of stuff that the script needs to do that doesn't need root privileges, and only one or two things that need root (and they don't need args or variables from the rest of the script - hard-code as much as possible), then split it into two or more scripts. – cas Jul 09 '21 at 04:56
  • There is a better way to do this, with PolicyKit rules, but Debian has bizarrely held back PolicyKit to a nearly 10 year old version which does not support such rules. – Michael Hampton Jul 09 '21 at 11:32

2 Answers2

10

You can configure sudo to allow specific users (or groups) to run named commands; in /etc/sudoers (use visudo to edit it):

user ALL = NOPASSWD: /path/to/command

will allow user user to run sudo /path/to/command without being prompted for a password.

Stephen Kitt
  • 434,908
  • Is there any difference in terms of security between this and just setting SUID for the command itself? – AnOccasionalCashew Jul 08 '21 at 22:18
  • 1
    @AnOccasionalCashew Linux ignores setuid bit on scripts - see Allow setuid on shell scripts. Also, setuid programs can be run by anyone who has execute permission on the binary (so you can limit it to the setuid user itself and the executable's group). sudo allows you to run scripts & binaries as root/other-user AND control exactly which users are allowed to run a program as root (or as another user) AND control the environment and the args passed to the executable. – cas Jul 09 '21 at 05:09
  • 2
    Some distributions set requiretty by default in sudo's configuration. This can be selectively unset by using the same Cmnd_Alias for the command to run and the exception about requiretty. eg Cmnd_Alias NONINTERACTIVE = /path/to/command user ALL = NOPASSWD: NONINTERACTIVE Defaults!NONINTERACTIVE !requiretty . That doesn't appear to be needed for Debian. – A.B Jul 09 '21 at 09:52
  • @cas: And sudo keeps logs of who uses (or tries to use) the command, which setuid does not. – psmears Jul 09 '21 at 10:06
0

I don't specifically know how sudo will behave in this context, however many programs which rely on a user interaction will fail if not connected to a tty when they are invoked. It would be simple to create a sudo privilege WITHOUT "NOPASSWD" and run it via cron or at to test:

echo "sudo touch /tmp/writtenAsRoot" | at now

(and check the output of "ps -ef | grep sudo" to check it isn't waiting for input).

Also test for the scenario where the user has no sudo privileges if that is a potential scenario.

symcbean
  • 5,540