Re: How do I elevate in a script?

2014-04-29 Thread Stephen John Smoogen
On 29 April 2014 15:20, ToddAndMargo  wrote:

> Hi All,
>
> I have a bash script that need to be run as root.
> In the script, I check to see if it is running as
> root and flag the user to run appropriately.
>
> Is there a way to use "su" to prompt for the password
> and continue the script if successful? (I would test for
> $? after the prompt.)
>
> Currently "su" will just open a new shell as root.
>
> I can run a command inside "su", but what about the
> other 200 lines of code?  :'(
>
>
The best you can do is run the script itself via su.. and that leads to all
kinds of interesting problems. Generally it is better to have the user type
the command themselves as root versus trying to be helpful inside of the
shell.




> Many thanks,
> -T
>
>
> --
> ~~
> Computers are like air conditioners.
> They malfunction when you open windows
> ~~
>



-- 
Stephen J Smoogen.


Re: How do I elevate in a script?

2014-04-29 Thread Keith Chadwick
The way I have done this in the past (using ksu rather than su) is to:

#!/bin/bash
#
if [ "$UID" -ne 0 ]
then
portion of script to run as root
else
ksu $0 $*
if [ "$?" -ne 0 ]
then
echo "ksu failed!"
exit 1
else
portion of script to run as non-root
fi
fi
#
exit

-Keith.
On Apr 29, 2014, at 2:20 PM, ToddAndMargo  wrote:

> Hi All,
> 
> I have a bash script that need to be run as root.
> In the script, I check to see if it is running as
> root and flag the user to run appropriately.
> 
> Is there a way to use "su" to prompt for the password
> and continue the script if successful? (I would test for
> $? after the prompt.)
> 
> Currently "su" will just open a new shell as root.
> 
> I can run a command inside "su", but what about the
> other 200 lines of code?  :'(
> 
> Many thanks,
> -T
> 
> 
> -- 
> ~~
> Computers are like air conditioners.
> They malfunction when you open windows
> ~~


RE: How do I elevate in a script?

2014-04-29 Thread Howard, Chris
You can use the suid permissions bit.
But be very careful to not let your script be hijacked.

I think there might be an option to the "su" command which
will let you run a script as another user.  You can
then split your script into two parts, have the first part
do things and then call 

su -c power-user  "/home/bin/newscript"


Something like that.  My syntax is probably bad.



-Original Message-
From: ToddAndMargo [mailto:toddandma...@zoho.com] 
Sent: Tuesday, April 29, 2014 1:20 PM
To: Scientific Linux Users
Subject: How do I elevate in a script?

Hi All,

I have a bash script that need to be run as root.
In the script, I check to see if it is running as
root and flag the user to run appropriately.

Is there a way to use "su" to prompt for the password
and continue the script if successful? (I would test for
$? after the prompt.)

Currently "su" will just open a new shell as root.

I can run a command inside "su", but what about the
other 200 lines of code?  :'(

Many thanks,
-T


-- 
~~
Computers are like air conditioners.
They malfunction when you open windows
~~


Re: How do I elevate in a script?

2014-04-29 Thread Michael Tiernan

On 4/29/14 3:20 PM, ToddAndMargo wrote:

Currently "su" will just open a new shell as root.


"sudo -u root" and if they don't have the password all is safer. :)

--
  <<  MCT>>Michael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173
  MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu
  High Perf Research Computing Facility at The Bates Linear Accelerator
Please avoid sending me MS-Word or MS-PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html


Re: How do I elevate in a script?

2014-04-29 Thread Mark Whidby
On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote:
> Hi All,
> 
> I have a bash script that need to be run as root.
> In the script, I check to see if it is running as
> root and flag the user to run appropriately.
> 
> Is there a way to use "su" to prompt for the password
> and continue the script if successful? (I would test for
> $? after the prompt.)
> 
> Currently "su" will just open a new shell as root.
> 
> I can run a command inside "su", but what about the
> other 200 lines of code?  :'(

An interesting problem :-)

Something like this seems to work but I haven't thought through
the consequences of it, so be aware:

-cut here-
#!/bin/sh

this_script=$(basename $0)

if [ $(id -u) -ne 0 ]
then
  echo "Enter root's password"
  su -c ./$this_script
  exit
fi

echo "Hello world"
echo "Running as $(id -u)"
-cut here-

You probably need to do something with $PATH to obviate the
need for the "./" on the su line.


Re: How do I elevate in a script?

2014-04-29 Thread ToddAndMargo

On 04/29/2014 12:37 PM, Mark Whidby wrote:

On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote:

Hi All,

I have a bash script that need to be run as root.
In the script, I check to see if it is running as
root and flag the user to run appropriately.

Is there a way to use "su" to prompt for the password
and continue the script if successful? (I would test for
$? after the prompt.)

Currently "su" will just open a new shell as root.

I can run a command inside "su", but what about the
other 200 lines of code?  :'(


An interesting problem :-)

Something like this seems to work but I haven't thought through
the consequences of it, so be aware:

-cut here-
#!/bin/sh

this_script=$(basename $0)

if [ $(id -u) -ne 0 ]
then
   echo "Enter root's password"
   su -c ./$this_script
   exit
fi

echo "Hello world"
echo "Running as $(id -u)"
-cut here-

You probably need to do something with $PATH to obviate the
need for the "./" on the su line.



Hi Mark,

I get it.  Fascinating!

If not root, call myself a second time with "su"

Thank you!

-T

--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~


Re: How do I elevate in a script?

2014-04-29 Thread Nico Kadel-Garcia
On Tue, Apr 29, 2014 at 3:20 PM, ToddAndMargo  wrote:
> Hi All,
>
> I have a bash script that need to be run as root.
> In the script, I check to see if it is running as
> root and flag the user to run appropriately.
>
> Is there a way to use "su" to prompt for the password
> and continue the script if successful? (I would test for
> $? after the prompt.)

Is there any reason not to use "sudo", which has more sophisticated
options and can better manage providing root privileges, with or
without password authentication, for specific tools?

> Currently "su" will just open a new shell as root.
>
> I can run a command inside "su", but what about the
> other 200 lines of code?  :'(
>
> Many thanks,
> -T

Put the code that must run as root in one file, which is *run* by a
wrapper tool or wrapper script.


Re: How do I elevate in a script?

2014-04-30 Thread Matthieu Guionnet
Hi Todd,
why don't you just use setuid ?
http://en.wikipedia.org/wiki/Setuid

You just change the script owner or group to root.
And put the s bit with the chmod command.
That's all.

Matthieu.

Le mardi 29 avril 2014 à 13:22 -0700, ToddAndMargo a écrit :
> On 04/29/2014 12:37 PM, Mark Whidby wrote:
> > On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote:
> >> Hi All,
> >>
> >> I have a bash script that need to be run as root.
> >> In the script, I check to see if it is running as
> >> root and flag the user to run appropriately.
> >>
> >> Is there a way to use "su" to prompt for the password
> >> and continue the script if successful? (I would test for
> >> $? after the prompt.)
> >>
> >> Currently "su" will just open a new shell as root.
> >>
> >> I can run a command inside "su", but what about the
> >> other 200 lines of code?  :'(
> >
> > An interesting problem :-)
> >
> > Something like this seems to work but I haven't thought through
> > the consequences of it, so be aware:
> >
> > -cut here-
> > #!/bin/sh
> >
> > this_script=$(basename $0)
> >
> > if [ $(id -u) -ne 0 ]
> > then
> >echo "Enter root's password"
> >su -c ./$this_script
> >exit
> > fi
> >
> > echo "Hello world"
> > echo "Running as $(id -u)"
> > -cut here-
> >
> > You probably need to do something with $PATH to obviate the
> > need for the "./" on the su line.
> >
> 
> Hi Mark,
> 
> I get it.  Fascinating!
> 
> If not root, call myself a second time with "su"
> 
> Thank you!
> 
> -T
> 



smime.p7s
Description: S/MIME cryptographic signature


Re: How do I elevate in a script?

2014-04-30 Thread Mark Stodola

The setuid is not honored for shell scripts, try it and you will see.

-Mark

On 4/30/2014 2:35 AM, Matthieu Guionnet wrote:

Hi Todd,
why don't you just use setuid ?
http://en.wikipedia.org/wiki/Setuid

You just change the script owner or group to root.
And put the s bit with the chmod command.
That's all.

Matthieu.

Le mardi 29 avril 2014 à 13:22 -0700, ToddAndMargo a écrit :

On 04/29/2014 12:37 PM, Mark Whidby wrote:

On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote:

Hi All,

I have a bash script that need to be run as root.
In the script, I check to see if it is running as
root and flag the user to run appropriately.

Is there a way to use "su" to prompt for the password
and continue the script if successful? (I would test for
$? after the prompt.)

Currently "su" will just open a new shell as root.

I can run a command inside "su", but what about the
other 200 lines of code?  :'(

An interesting problem :-)

Something like this seems to work but I haven't thought through
the consequences of it, so be aware:

-cut here-
#!/bin/sh

this_script=$(basename $0)

if [ $(id -u) -ne 0 ]
then
echo "Enter root's password"
su -c ./$this_script
exit
fi

echo "Hello world"
echo "Running as $(id -u)"
-cut here-

You probably need to do something with $PATH to obviate the
need for the "./" on the su line.


Hi Mark,

I get it.  Fascinating!

If not root, call myself a second time with "su"

Thank you!

-T



Re: How do I elevate in a script?

2014-04-30 Thread Nico Kadel-Garcia
On Wed, Apr 30, 2014 at 3:35 AM, Matthieu Guionnet
 wrote:
> Hi Todd,
> why don't you just use setuid ?
> http://en.wikipedia.org/wiki/Setuid

Because the kernel does not permit this for scripts.

   http://www.krenel.org/setuid-and-shell-scripts-explained/

Setuid shell scripts are begging to have environment variables set to
abuse their suid privileges. There are *compelling* security reasons
not to permit it.


> You just change the script owner or group to root.
> And put the s bit with the chmod command.
> That's all.
>
> Matthieu.
>
> Le mardi 29 avril 2014 à 13:22 -0700, ToddAndMargo a écrit :
>> On 04/29/2014 12:37 PM, Mark Whidby wrote:
>> > On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote:
>> >> Hi All,
>> >>
>> >> I have a bash script that need to be run as root.
>> >> In the script, I check to see if it is running as
>> >> root and flag the user to run appropriately.
>> >>
>> >> Is there a way to use "su" to prompt for the password
>> >> and continue the script if successful? (I would test for
>> >> $? after the prompt.)
>> >>
>> >> Currently "su" will just open a new shell as root.
>> >>
>> >> I can run a command inside "su", but what about the
>> >> other 200 lines of code?  :'(
>> >
>> > An interesting problem :-)
>> >
>> > Something like this seems to work but I haven't thought through
>> > the consequences of it, so be aware:
>> >
>> > -cut here-
>> > #!/bin/sh
>> >
>> > this_script=$(basename $0)
>> >
>> > if [ $(id -u) -ne 0 ]
>> > then
>> >echo "Enter root's password"
>> >su -c ./$this_script
>> >exit
>> > fi
>> >
>> > echo "Hello world"
>> > echo "Running as $(id -u)"
>> > -cut here-
>> >
>> > You probably need to do something with $PATH to obviate the
>> > need for the "./" on the su line.
>> >
>>
>> Hi Mark,
>>
>> I get it.  Fascinating!
>>
>> If not root, call myself a second time with "su"
>>
>> Thank you!
>>
>> -T
>>
>


Re: How do I elevate in a script?

2014-04-30 Thread ToddAndMargo

On 04/30/2014 12:35 AM, Matthieu Guionnet wrote:

Hi Todd,
why don't you just use setuid ?
http://en.wikipedia.org/wiki/Setuid

You just change the script owner or group to root.
And put the s bit with the chmod command.
That's all.

Matthieu.


Hi Matthieu,

I really, really only want root to be
able to run this script.

-T

--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~


Re: How do I elevate in a script?

2014-04-30 Thread ToddAndMargo

On 04/29/2014 10:21 PM, Nico Kadel-Garcia wrote:

On Tue, Apr 29, 2014 at 3:20 PM, ToddAndMargo  wrote:

Hi All,

I have a bash script that need to be run as root.
In the script, I check to see if it is running as
root and flag the user to run appropriately.

Is there a way to use "su" to prompt for the password
and continue the script if successful? (I would test for
$? after the prompt.)


Is there any reason not to use "sudo", which has more sophisticated
options and can better manage providing root privileges, with or
without password authentication, for specific tools?


I want the user to either already be root  or to
be prompted for the root password.

I really don't like sudo.




Currently "su" will just open a new shell as root.

I can run a command inside "su", but what about the
other 200 lines of code?  :'(

Many thanks,
-T


Put the code that must run as root in one file, which is *run* by a
wrapper tool or wrapper script.


It all has to be run as root.

I like the call myself option with "su"

-T


--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~


Re: How do I elevate in a script?

2014-04-30 Thread Jeffrey Anderson
It seems to me that having a shell script prompt for the root password is a
recipe for disaster, but you can easily check to see if the user is already
root, and bail if not.




On Wed, Apr 30, 2014 at 10:32 AM, ToddAndMargo wrote:

> On 04/29/2014 10:21 PM, Nico Kadel-Garcia wrote:
>
>> On Tue, Apr 29, 2014 at 3:20 PM, ToddAndMargo 
>> wrote:
>>
>>> Hi All,
>>>
>>> I have a bash script that need to be run as root.
>>> In the script, I check to see if it is running as
>>> root and flag the user to run appropriately.
>>>
>>> Is there a way to use "su" to prompt for the password
>>> and continue the script if successful? (I would test for
>>> $? after the prompt.)
>>>
>>
>> Is there any reason not to use "sudo", which has more sophisticated
>> options and can better manage providing root privileges, with or
>> without password authentication, for specific tools?
>>
>
> I want the user to either already be root  or to
> be prompted for the root password.
>
> I really don't like sudo.
>
>
>>  Currently "su" will just open a new shell as root.
>>>
>>> I can run a command inside "su", but what about the
>>> other 200 lines of code?  :'(
>>>
>>> Many thanks,
>>> -T
>>>
>>
>> Put the code that must run as root in one file, which is *run* by a
>> wrapper tool or wrapper script.
>>
>
> It all has to be run as root.
>
> I like the call myself option with "su"
>
>
> -T
>
>
> --
> ~~
> Computers are like air conditioners.
> They malfunction when you open windows
> ~~
>



-- 
--
Jeffrey Anderson| jdander...@lbl.gov
Lawrence Berkeley National Laboratory   |
Office: 50A-5104E   | Mailstop 50A-5101
Phone: 510 486-4208 | Fax: 510 486-4204


Re: How do I elevate in a script?

2014-04-30 Thread Bluejay Adametz
> It seems to me that having a shell script prompt for the root password is a
> recipe for disaster, but you can easily check to see if the user is already
> root, and bail if not.

I've been uneasy with that idea as well, although not to the point of
imminent disaster ...

Different sites might have different rules for gaining root access.
Some might not even permit su and require everything to go through
sudo, or some other mechanism, perhaps as part of an auditing/logging
process.

If it needs to run as root, I would just state that as a requirement,
check for that condition, and output a clear error message if it's not
met. Sometimes it's possible to "dumb things down" too much.

 - Bluejay Adametz

Matter may be created or destroyed, but it
may not be returned without a receipt.

-- 


NOTICE: This message, including any attachments, is only for the use of the 
intended recipient(s) and may contain confidential and privileged information, 
or information otherwise protected from disclosure by law.  If the reader of 
this message is not the intended recipient, you are hereby notified that any 
use, disclosure, copying, dissemination or distribution of this message or any 
of its attachments is strictly prohibited.  If you received this message in 
error, please contact the sender immediately by reply email and destroy this 
message, including all attachments, and any copies thereof. 


Re: How do I elevate in a script?

2014-04-30 Thread ToddAndMargo

On 04/30/2014 10:38 AM, Jeffrey Anderson wrote:

It seems to me that having a shell script prompt for the root password
is a recipe for disaster, but you can easily check to see if the user is
already root, and bail if not.



That is what I currently do.  I am just wanting to get fancy:

if [ -z "`/usr/bin/whoami | grep root`" ]; then
   echo ""
   # ErrorSound
   echo 'Dude!  You must be root to do this.'
   echo "Try"
   echo "su root -c \"updateffth $1\""
   echo 'Exiting.   Bummer ...'
   echo ""
   Pause
   exit 1
fi


Re: How do I elevate in a script?

2014-04-30 Thread ToddAndMargo

On 04/30/2014 10:55 AM, Bluejay Adametz wrote:

It seems to me that having a shell script prompt for the root password is a
recipe for disaster, but you can easily check to see if the user is already
root, and bail if not.


I've been uneasy with that idea as well, although not to the point of
imminent disaster ...

Different sites might have different rules for gaining root access.
Some might not even permit su and require everything to go through
sudo, or some other mechanism, perhaps as part of an auditing/logging
process.

If it needs to run as root, I would just state that as a requirement,
check for that condition, and output a clear error message if it's not
met. Sometimes it's possible to "dumb things down" too much.

  - Bluejay Adametz

Matter may be created or destroyed, but it
may not be returned without a receipt.



Hi Bluejay,

No root, no shirt, no shoes, no service is the
way I wrote it.  Maybe not the shirt or shoes.

:-)

-T


--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~


Re: How do I elevate in a script?

2014-04-30 Thread olli hauer
On 2014-04-30 20:02, ToddAndMargo wrote:
> On 04/30/2014 10:38 AM, Jeffrey Anderson wrote:
>> It seems to me that having a shell script prompt for the root password
>> is a recipe for disaster, but you can easily check to see if the user is
>> already root, and bail if not.
>>
> 
> That is what I currently do.  I am just wanting to get fancy:
> 
> if [ -z "`/usr/bin/whoami | grep root`" ]; then
>echo ""
># ErrorSound
>echo 'Dude!  You must be root to do this.'
>echo "Try"
>echo "su root -c \"updateffth $1\""
>echo 'Exiting.   Bummer ...'
>echo ""
>Pause
>exit 1
> fi
> 

sudo has the charm to create log entries, and can be easily automated.

What I miss in your example is a syslog call that someone unauthorized tried to 
execute the script.
Also I would replace pause with `sleep $num' or `read -t $num DUMMY' so in case 
the script is executed by cron it doesn't wait for a signal.


Re: How do I elevate in a script?

2014-04-30 Thread ToddAndMargo

On 04/30/2014 11:33 AM, olli hauer wrote:

On 2014-04-30 20:02, ToddAndMargo wrote:

On 04/30/2014 10:38 AM, Jeffrey Anderson wrote:

It seems to me that having a shell script prompt for the root password
is a recipe for disaster, but you can easily check to see if the user is
already root, and bail if not.



That is what I currently do.  I am just wanting to get fancy:

if [ -z "`/usr/bin/whoami | grep root`" ]; then
echo ""
# ErrorSound
echo 'Dude!  You must be root to do this.'
echo "Try"
echo "su root -c \"updateffth $1\""
echo 'Exiting.   Bummer ...'
echo ""
Pause
exit 1
fi



sudo has the charm to create log entries, and can be easily automated.


I find sudo "annoying".  I do use it for some things though.



What I miss in your example is a syslog call that someone unauthorized tried to 
execute the script.


I am not sure that is necessary.  This is just
a script to install new Firefox or Thunderbird binaries,
update links, and remove old binaries.

$ logger -p user.notice -t test "testing 123"

Would do the job.  Perhaps after they goofed "su"

Maybe ever one to say the job completed.  Probably
not.  You get that when you run the script


Also I would replace pause with `sleep $num' or `read -t $num DUMMY' so in case 
the script is executed by cron it doesn't wait for a signal.


You missed "P" in "Pause"

Pause () {
   echo ""
   read -n 1 -s -p "Press any key to continue..."
   echo ""
}

Since this is meant to run from the command line,
I am not even sure I need it.

Thank you for the tips!

-T



--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~