User profile for user: Greg Hart
Greg Hart Author
User level: Level 1
45 points

sudo in a bash script

Hi All-

I want to allow non-admin users to run a bash script that changes the ownership of a file to an admin user in a different group. I've run into a couple questions I'm hoping the more experienced could shed some light on.

First off, when I chown to an admin user, it requires sudo. So I've included the following in the script: `sudo chown <user>:<group> <file>`

Two issues:
1) Is there a way around the interactive "Password:" prompt? What's the safest way to do this, security-wise?

2) Only users listed in /private/etc/sudoers are able to run `sudo`. By default, this doesn't include any of my non-admin users. Am I required to add them to this file? Or is there a better way?

Thanks for any tips,

-Greg

PowerBook G4 Mac OS X (10.4.8) Sony KDL-40S2010 HDTV

Posted on Mar 15, 2007 5:07 PM

Reply
10 replies
User profile for user: Niel
Niel
Community+ 2025
User level: Level 10
740,963 points

Mar 15, 2007 8:45 PM in response to Greg Hart

Move the script to the top level of the hard disk or a preinstalled folder only writable by root, such as /private. Next, use a tool such as visudo to edit the sudoers file so that non-admin users can use sudo to execute that script and only that script; the sudo in the script can then be removed, and the line in sudoers can be set so that no password is required to run it. From here, change the permissions on it so that only root is able to edit the script.

(20394)
Reply
User profile for user: B1|\|ARY
B1|\|ARY
User level: Level 1
60 points

Mar 17, 2007 9:50 AM in response to Greg Hart

If all you're doing is trying to change ownership not permission, so long as you have read access to the file, you can change ownership by creating a new file with the exact same properties with cat.

cat file1 > file2

file2 will retain original permissions of file1, but the group will be changed to whichever user runs cat.

Since this changes ownership of the file, at this point you just do:

chmod 777 file2

Which will give you full access to file2.

Hope that helps.
Reply
User profile for user: foilpan
foilpan
User level: Level 4
1,385 points

Mar 17, 2007 1:47 PM in response to B1|\|ARY

that will confuse things, since your approach creates duplicate files. he just wants to work with existing files. the way for non-admins to chown them properly is to edit the sudoers file as indicated above.

with more detail from the original poster, it may be possible to work out an even more elegant solution.

why do the non-admins need to change ownership to allow another group to use the files? have you tried ACLs to accomplish the same thing? in essence, what's the problem you're trying to solve?
Reply
User profile for user: Kurt Sakaeda
Kurt Sakaeda
User level: Level 3
590 points

Mar 18, 2007 12:33 PM in response to Greg Hart

Dear Greg,

The keys are in chmod, chown, & sudo.

Make your scrip owned by root like this:

$ sudo chown root script.sh

There is a secret bit on the access controls called the sticky bit. If an executable is owned by root & has the sticky bit set, the executable runs with root authority. Set the sticky bit like this:

$ sudo chmod 1755 script.sh

Now when the script runs, it runs with root authority.

But you need to be real careful with access control to script.sh. If someone can change script.sh, they have root access to your system. So guard script.sh well.

Best of luck,



Kurt
Reply
User profile for user: Greg Hart
Greg Hart Author
User level: Level 1
45 points

Mar 18, 2007 2:43 PM in response to Kurt Sakaeda

Trying the simple thing first, I took your suggstion Kurt, and ran:

$ sudo chown root script.sh
$ sudo chmod 1755 script.sh

resulting in:
-rwxr-xr-t 1 root admin 1206 Mar 18 14:03 script.sh*

I still get the "Password:" prompt, so wonder if it's running with root authority. And of course, non-admin users still aren't listed in the sudoers file so there's no way past the prompt for them.
Reply
User profile for user: Gary Kerbaugh
Gary Kerbaugh
User level: Level 6
18,040 points

Mar 18, 2007 3:41 PM in response to Kurt Sakaeda

Hi Kurt, Greg,
Kurt, this is a rare mistake but you're thinking about the SetUID bit, not the sticky bit. The effect of the sticky bit on files was supposed to be to keep text portions of an executable in memory but the architecture it was designed to optimized is obsolete so I doubt that it has any effect on executable files nowadays. (it still affects directories)

Setting the SetUID bit, 4000, on an executable binary will cause the operating system to execute it as the owner of the executable but that no longer works on scripts since that would be a security hole. However, it is a simple matter to wrap the invocation of the script in a C executable, on which the sticky bit will work. There is a section of the perlsec man page that describes how to do it and even provides the C code. All you have to do is fill in the absolute path to the script, compile it with gcc and set the SetUID bit on the resulting executable.

Greg, I think that editing the sudoers file is the best solution but you should really study the sudoers man page before doing so. Sudo is one of the most flexible authority mechanisms there is but that also means that configuring it can get involved.

As was suggested you can include the path to your script in an entry in the sudoers file and even use the NOPASSWD flag to allow it to be executed without a password being required. However, your users will still have to use sudo. An alternative is to put the individual commands in the sudoers file and to execute them in the script with sudo. Of course you should include the arguments to the commands in the sudoers file as you wouldn't want your users to be able to freely chmod as root.

Edit: I strongly recommend not turning on the effect of the SetUID bit on scripts. It really is a security flaw, as is also described in the perlsec man page.
--
Gary
~~~~
Obstacles are what you see when you take your eyes off your goal.
Reply
User profile for user: Greg Hart
Greg Hart Author
User level: Level 1
45 points

Mar 18, 2007 6:47 PM in response to Niel

Thanks all, for the helpful info. Going with Niel's first suggestion, I edited sudoers with visudo based on what I learned skimming the sudoers man page. I added the following line to sudoers:

<non adminuser> ALL = NOPASSWD: /arc/bin/script.sh

Everything seems to work just like I was hoping with one exception. Would you still expect the user to be required to preceed the command with 'sudo'? That's what I'm seeing and was hoping to avoid. In other words,

$ sudo script.sh
# works without any reference to 'sudo' inside script.sh
$ script.sh
# works when 'sudo' preceeds the command inside script.sh

And fyi, this is 'script.sh':

#!/bin/sh
for arg
do
chown <new_user> $arg
done

and script.sh is owned by root.

Is this as good as it gets? Maybe 'sudo script.sh' could be put in a wrapper or something, but I'm hoping to learn how to do it as cleanly as possible. Thanks again.

PowerBook G4 Mac OS X (10.4.9) Sony KDL-40S2010 HDTV
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

sudo in a bash script

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up