Running user script with root permissions

Question

I have a script that I've made that needs to have root permissions to enable and disable bluetooth features. I am binding this to a button so it is not feasible to log in as root to run the script. How do I properly set the file permissions for the script? I know that it's good practice to make it so that only root can edit and read the file, but how do I give it full execution permissions?

BT_RFKILL=$(rfkill list | grep tpacpi_bluetooth_sw | sed 's/\([0-9]\+\):.*/\1/')
BT_STATE=$(rfkill list $BT_RFKILL | grep "Soft blocked: yes")

if [ "x" == "x$BT_STATE" ]; then
    sixad --stop
    sleep 2s
    rfkill block $BT_RFKILL
else
    rfkill unblock $BT_RFKILL
    sleep 2s
    sixad --start
fi
exit 0

The script runs perfectly if I sudo it, but that's not ideal since I'd love run it through a simple key binding.

depquid · Accepted Answer · 2013-03-27T19:11:03.473

2

The secure way is probably to use sudo on the lines of your script that call sixad and rfkill (I'm assuming both need root privileges). Then configure sudoers to allow those commands to be run without a password by the user or group which is supposed to run the script.

edited Mar 27 '13 at 19:11

answered Mar 27 '13 at 18:44

depquid

3,891

Only sixad needs the sudo but thanks so much! It works perfect now. :D – MiguelHawk Mar 27 '13 at 19:37
@MiguelHawk Please consider accepting and up-voting answers that solve your problem. Thanks. – depquid Mar 27 '13 at 19:56
It won't let me. I don't have enough reputation. :( – MiguelHawk Mar 27 '13 at 20:22

Alois Mahdal · Answer 2 · 2013-03-27T17:15:31.560

You can set setuid flag to the script and set owner to root (or better, someone who has permissions you need). The setuid flag means that when the script is run by anyone who can run it, the UID of the process is set to its owner.

For example, you can have a script owned by joe, with setuid flag on, so when alice runs it, the script itself has privileges of joe (just as if Joe ran it, even if he's not logged in right now).

IIUC you want to run this under an HTTP server. I'm not sure if this applies to every server, but at least Apache on Debian will refuse to run setuid'd script. It will allow only binary executable. I solved this by creating a simple wrapper in C, that would exec() the script using hard-coded path.

However, I'd definitely try to avoid running anything as root remotely: much safer way is to create a special user just for the specific task, not having any more privileges than needed, and use the above technique. (I'm not sure, but that might mean that the part about Apache will not applu--it might apply to root's scripts only.)

Basically how you assign privileges is by making user member of certain group. Many distributions create device-specific groups (like "cdrom", "fax"...) for you. Look if there is a "bluetooth" group on your system; if there is, create a new user and make him member of that group.

Running user script with root permissions

2 Answers2

Linked