0

How can I limit a UNIX user (BESIDES sudo!) to only allow it to run a script as root?

gasko peter
  • 5,514

3 Answers3

1

Besides sudo the only other method I'm aware of is to use setuid. this is a mechanism built into Unixes where you can set a bit on a program on disk so that anytime someone executes it the executable is run as the owner of the files and not the user attempting to run it.

But this facility typically doesn't work with scripts or programs that require a shebang (#!/bin/...) at the top of them. If a file has this bit enabled it will show up like this in the filesystem:

-rws------ 1 saml saml 3354099 Oct 28 16:07 someapp

You can set a program with this bit enabled like this:

$ chmod u+s someapp

But even when this bit is enabled, it can oftentimes be ignored and drive users mad who don't understand that it's by design. Often for security reasons, not to allow shell scripts or programs that make use of shebang to run in this manner.

The man pages (credentials & capabilities) cover some of this.

So in general the best option, even though you don't want to hear this, is to use sudo.

Related Unix & Linux Q&A's

Community
  • 1
slm
  • 369,824
1

You can give that user user ID 0 in the password file, and make that script their login shell. When the user logs in with their name and password, the script runs as root, terminates, and then the user is logged out. Hence, the user is limited to that root script.

Kaz
  • 8,273
0

Maybe I am not understanding your question but groups can be used to control what users can do.

One possibility is to assign the user to the traditional group wheel. Of course this falls back on the sudoers file where there should be a default entry something like:

%wheel ALL=(ALL) ALL  # password required.

or 

%wheel ALL=(ALL) NOPASSWD: ALL  # no password required.

You can do this via:

usermod -a -G wheel {username}

Then the {username} should have the ability to execute as root.

AsymLabs
  • 2,697