This discussion is locked
Greg Hart
Level 1 (40 points)

Q: sudo in a bash script

Hi All-

I want to allow non-admin users to run a bash script that changes the ownership of a file to an admin user in a different group. I've run into a couple questions I'm hoping the more experienced could shed some light on.

First off, when I chown to an admin user, it requires sudo. So I've included the following in the script: `sudo chown <user>:<group> <file>`

Two issues:
1) Is there a way around the interactive "Password:" prompt? What's the safest way to do this, security-wise?

2) Only users listed in /private/etc/sudoers are able to run `sudo`. By default, this doesn't include any of my non-admin users. Am I required to add them to this file? Or is there a better way?

Thanks for any tips,

-Greg

PowerBook G4   Mac OS X (10.4.8)   Sony KDL-40S2010 HDTV

Posted on Mar 15, 2007 5:07 PM

by Niel,Solvedanswer
Niel Niel
Level 10 (314,422 points)
Mac OS X
A:
Move the script to the top level of the hard disk or a preinstalled folder only writable by root, such as /private. Next, use a tool such as visudo to edit the sudoers file so that non-admin users can use sudo to execute that script and only that script; the sudo in the script can then be removed, and the line in sudoers can be set so that no password is required to run it. From here, change the permissions on it so that only root is able to edit the script.

(20394)

Posted on Mar 15, 2007 8:45 PM

Close
Greg Hart

Q: sudo in a bash script

  • All replies
  • Helpful answers

  • by Niel,Solvedanswer

    Niel Niel Mar 15, 2007 8:45 PM in response to Greg Hart
    Level 10 (314,422 points)
    Mac OS X
    Mar 15, 2007 8:45 PM in response to Greg Hart
    Move the script to the top level of the hard disk or a preinstalled folder only writable by root, such as /private. Next, use a tool such as visudo to edit the sudoers file so that non-admin users can use sudo to execute that script and only that script; the sudo in the script can then be removed, and the line in sudoers can be set so that no password is required to run it. From here, change the permissions on it so that only root is able to edit the script.

    (20394)

  • by B1|\|ARY,

    B1|\|ARY B1|\|ARY Mar 17, 2007 9:50 AM in response to Greg Hart
    Level 1 (60 points)
    Mar 17, 2007 9:50 AM in response to Greg Hart
    If all you're doing is trying to change ownership not permission, so long as you have read access to the file, you can change ownership by creating a new file with the exact same properties with cat.

    cat file1 > file2

    file2 will retain original permissions of file1, but the group will be changed to whichever user runs cat.

    Since this changes ownership of the file, at this point you just do:

    chmod 777 file2

    Which will give you full access to file2.

    Hope that helps.

  • by foilpan,

    foilpan foilpan Mar 17, 2007 1:47 PM in response to B1|\|ARY
    Level 4 (1,385 points)
    Mar 17, 2007 1:47 PM in response to B1|\|ARY
    that will confuse things, since your approach creates duplicate files. he just wants to work with existing files. the way for non-admins to chown them properly is to edit the sudoers file as indicated above.

    with more detail from the original poster, it may be possible to work out an even more elegant solution.

    why do the non-admins need to change ownership to allow another group to use the files? have you tried ACLs to accomplish the same thing? in essence, what's the problem you're trying to solve?

  • by Kurt Sakaeda,

    Kurt Sakaeda Kurt Sakaeda Mar 18, 2007 12:33 PM in response to Greg Hart
    Level 3 (590 points)
    Mar 18, 2007 12:33 PM in response to Greg Hart
    Dear Greg,

    The keys are in chmod, chown, & sudo.

    Make your scrip owned by root like this:

    $ sudo chown root script.sh

    There is a secret bit on the access controls called the sticky bit. If an executable is owned by root & has the sticky bit set, the executable runs with root authority. Set the sticky bit like this:

    $ sudo chmod 1755 script.sh

    Now when the script runs, it runs with root authority.

    But you need to be real careful with access control to script.sh. If someone can change script.sh, they have root access to your system. So guard script.sh well.

    Best of luck,



    Kurt

  • by Greg Hart,

    Greg Hart Greg Hart Mar 18, 2007 2:43 PM in response to Kurt Sakaeda
    Level 1 (40 points)
    Mar 18, 2007 2:43 PM in response to Kurt Sakaeda
    Trying the simple thing first, I took your suggstion Kurt, and ran:

    $ sudo chown root script.sh
    $ sudo chmod 1755 script.sh

    resulting in:
    -rwxr-xr-t 1 root admin 1206 Mar 18 14:03 script.sh*

    I still get the "Password:" prompt, so wonder if it's running with root authority. And of course, non-admin users still aren't listed in the sudoers file so there's no way past the prompt for them.

  • by Niel,

    Niel Niel Mar 18, 2007 3:22 PM in response to Greg Hart
    Level 10 (314,422 points)
    Mac OS X
    Mar 18, 2007 3:22 PM in response to Greg Hart
    The instructions regarding changing the file mode weren't set up properly; the number needs to be 4755 instead of 1755 for this purpose. Note that setuid shell scripts are disabled by default in Mac OS X 10.39 and newer; you can use these instructions to turn them back on.

    (20462)

  • by Gary Kerbaugh,Helpful

    Gary Kerbaugh Gary Kerbaugh Mar 18, 2007 3:41 PM in response to Kurt Sakaeda
    Level 6 (18,040 points)
    Mar 18, 2007 3:41 PM in response to Kurt Sakaeda
    Hi Kurt, Greg,
       Kurt, this is a rare mistake but you're thinking about the SetUID bit, not the sticky bit. The effect of the sticky bit on files was supposed to be to keep text portions of an executable in memory but the architecture it was designed to optimized is obsolete so I doubt that it has any effect on executable files nowadays. (it still affects directories)

       Setting the SetUID bit, 4000, on an executable binary will cause the operating system to execute it as the owner of the executable but that no longer works on scripts since that would be a security hole. However, it is a simple matter to wrap the invocation of the script in a C executable, on which the sticky bit will work. There is a section of the perlsec man page that describes how to do it and even provides the C code. All you have to do is fill in the absolute path to the script, compile it with gcc and set the SetUID bit on the resulting executable.

       Greg, I think that editing the sudoers file is the best solution but you should really study the sudoers man page before doing so. Sudo is one of the most flexible authority mechanisms there is but that also means that configuring it can get involved.

       As was suggested you can include the path to your script in an entry in the sudoers file and even use the NOPASSWD flag to allow it to be executed without a password being required. However, your users will still have to use sudo. An alternative is to put the individual commands in the sudoers file and to execute them in the script with sudo. Of course you should include the arguments to the commands in the sudoers file as you wouldn't want your users to be able to freely chmod as root.

    Edit: I strongly recommend not turning on the effect of the SetUID bit on scripts. It really is a security flaw, as is also described in the perlsec man page.
    --
    Gary
    ~~~~
       Obstacles are what you see when you take your eyes off your goal.

  • by Greg Hart,

    Greg Hart Greg Hart Mar 18, 2007 6:47 PM in response to Niel
    Level 1 (40 points)
    Mar 18, 2007 6:47 PM in response to Niel
    Thanks all, for the helpful info. Going with Niel's first suggestion, I edited sudoers with visudo based on what I learned skimming the sudoers man page. I added the following line to sudoers:

    <nonadminuser> ALL = NOPASSWD: /arc/bin/script.sh

    Everything seems to work just like I was hoping with one exception. Would you still expect the user to be required to preceed the command with 'sudo'? That's what I'm seeing and was hoping to avoid. In other words,

    $ sudo script.sh
    # works without any reference to 'sudo' inside script.sh
    $ script.sh
    # works when 'sudo' preceeds the command inside script.sh

    And fyi, this is 'script.sh':

    #!/bin/sh
    for arg
    do
    chown <new_user> $arg
    done

    and script.sh is owned by root.

    Is this as good as it gets? Maybe 'sudo script.sh' could be put in a wrapper or something, but I'm hoping to learn how to do it as cleanly as possible. Thanks again.

    PowerBook G4   Mac OS X (10.4.9)   Sony KDL-40S2010 HDTV

  • by Niel,Helpful

    Niel Niel Mar 18, 2007 8:29 PM in response to Greg Hart
    Level 10 (314,422 points)
    Mac OS X
    Mar 18, 2007 8:29 PM in response to Greg Hart
    Try creating a second shell script, and placing the sudo command inside that shell script. The first script can then be called from the second, without the person using the computer needing to type sudo. The second script does not need to be in a protected folder.

    (20472)

  • by Kurt Sakaeda,

    Kurt Sakaeda Kurt Sakaeda Mar 19, 2007 9:26 AM in response to Gary Kerbaugh
    Level 3 (590 points)
    Mar 19, 2007 9:26 AM in response to Gary Kerbaugh
    Dear Gary,

    Opps! My mistake:^( This is what happens when I rely on my memory rather than the the computers memory.

    Thank you for the correction. At least I had the commands right.

    Thank you for the sudo suggestion. I will keep it in my useful unix methods file for future use. It is always good to know the right way to do things.

    Best of luck,


    Kurt