Re: How do I elevate in a script?
On 29 April 2014 15:20, ToddAndMargo wrote: > Hi All, > > I have a bash script that need to be run as root. > In the script, I check to see if it is running as > root and flag the user to run appropriately. > > Is there a way to use "su" to prompt for the password > and continue the script if successful? (I would test for > $? after the prompt.) > > Currently "su" will just open a new shell as root. > > I can run a command inside "su", but what about the > other 200 lines of code? :'( > > The best you can do is run the script itself via su.. and that leads to all kinds of interesting problems. Generally it is better to have the user type the command themselves as root versus trying to be helpful inside of the shell. > Many thanks, > -T > > > -- > ~~ > Computers are like air conditioners. > They malfunction when you open windows > ~~ > -- Stephen J Smoogen.
Re: How do I elevate in a script?
The way I have done this in the past (using ksu rather than su) is to: #!/bin/bash # if [ "$UID" -ne 0 ] then portion of script to run as root else ksu $0 $* if [ "$?" -ne 0 ] then echo "ksu failed!" exit 1 else portion of script to run as non-root fi fi # exit -Keith. On Apr 29, 2014, at 2:20 PM, ToddAndMargo wrote: > Hi All, > > I have a bash script that need to be run as root. > In the script, I check to see if it is running as > root and flag the user to run appropriately. > > Is there a way to use "su" to prompt for the password > and continue the script if successful? (I would test for > $? after the prompt.) > > Currently "su" will just open a new shell as root. > > I can run a command inside "su", but what about the > other 200 lines of code? :'( > > Many thanks, > -T > > > -- > ~~ > Computers are like air conditioners. > They malfunction when you open windows > ~~
RE: How do I elevate in a script?
You can use the suid permissions bit. But be very careful to not let your script be hijacked. I think there might be an option to the "su" command which will let you run a script as another user. You can then split your script into two parts, have the first part do things and then call su -c power-user "/home/bin/newscript" Something like that. My syntax is probably bad. -Original Message- From: ToddAndMargo [mailto:toddandma...@zoho.com] Sent: Tuesday, April 29, 2014 1:20 PM To: Scientific Linux Users Subject: How do I elevate in a script? Hi All, I have a bash script that need to be run as root. In the script, I check to see if it is running as root and flag the user to run appropriately. Is there a way to use "su" to prompt for the password and continue the script if successful? (I would test for $? after the prompt.) Currently "su" will just open a new shell as root. I can run a command inside "su", but what about the other 200 lines of code? :'( Many thanks, -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: How do I elevate in a script?
On 4/29/14 3:20 PM, ToddAndMargo wrote: Currently "su" will just open a new shell as root. "sudo -u root" and if they don't have the password all is safer. :) -- << MCT>>Michael C Tiernan xmpp:mtier...@mit.edu +1 (617) 324-9173 MIT - Laboratory for Nuclear Science - http://www.lns.mit.edu High Perf Research Computing Facility at The Bates Linear Accelerator Please avoid sending me MS-Word or MS-PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: How do I elevate in a script?
On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote: > Hi All, > > I have a bash script that need to be run as root. > In the script, I check to see if it is running as > root and flag the user to run appropriately. > > Is there a way to use "su" to prompt for the password > and continue the script if successful? (I would test for > $? after the prompt.) > > Currently "su" will just open a new shell as root. > > I can run a command inside "su", but what about the > other 200 lines of code? :'( An interesting problem :-) Something like this seems to work but I haven't thought through the consequences of it, so be aware: -cut here- #!/bin/sh this_script=$(basename $0) if [ $(id -u) -ne 0 ] then echo "Enter root's password" su -c ./$this_script exit fi echo "Hello world" echo "Running as $(id -u)" -cut here- You probably need to do something with $PATH to obviate the need for the "./" on the su line.
Re: How do I elevate in a script?
On 04/29/2014 12:37 PM, Mark Whidby wrote: On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote: Hi All, I have a bash script that need to be run as root. In the script, I check to see if it is running as root and flag the user to run appropriately. Is there a way to use "su" to prompt for the password and continue the script if successful? (I would test for $? after the prompt.) Currently "su" will just open a new shell as root. I can run a command inside "su", but what about the other 200 lines of code? :'( An interesting problem :-) Something like this seems to work but I haven't thought through the consequences of it, so be aware: -cut here- #!/bin/sh this_script=$(basename $0) if [ $(id -u) -ne 0 ] then echo "Enter root's password" su -c ./$this_script exit fi echo "Hello world" echo "Running as $(id -u)" -cut here- You probably need to do something with $PATH to obviate the need for the "./" on the su line. Hi Mark, I get it. Fascinating! If not root, call myself a second time with "su" Thank you! -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: How do I elevate in a script?
On Tue, Apr 29, 2014 at 3:20 PM, ToddAndMargo wrote: > Hi All, > > I have a bash script that need to be run as root. > In the script, I check to see if it is running as > root and flag the user to run appropriately. > > Is there a way to use "su" to prompt for the password > and continue the script if successful? (I would test for > $? after the prompt.) Is there any reason not to use "sudo", which has more sophisticated options and can better manage providing root privileges, with or without password authentication, for specific tools? > Currently "su" will just open a new shell as root. > > I can run a command inside "su", but what about the > other 200 lines of code? :'( > > Many thanks, > -T Put the code that must run as root in one file, which is *run* by a wrapper tool or wrapper script.
Re: How do I elevate in a script?
Hi Todd, why don't you just use setuid ? http://en.wikipedia.org/wiki/Setuid You just change the script owner or group to root. And put the s bit with the chmod command. That's all. Matthieu. Le mardi 29 avril 2014 à 13:22 -0700, ToddAndMargo a écrit : > On 04/29/2014 12:37 PM, Mark Whidby wrote: > > On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote: > >> Hi All, > >> > >> I have a bash script that need to be run as root. > >> In the script, I check to see if it is running as > >> root and flag the user to run appropriately. > >> > >> Is there a way to use "su" to prompt for the password > >> and continue the script if successful? (I would test for > >> $? after the prompt.) > >> > >> Currently "su" will just open a new shell as root. > >> > >> I can run a command inside "su", but what about the > >> other 200 lines of code? :'( > > > > An interesting problem :-) > > > > Something like this seems to work but I haven't thought through > > the consequences of it, so be aware: > > > > -cut here- > > #!/bin/sh > > > > this_script=$(basename $0) > > > > if [ $(id -u) -ne 0 ] > > then > >echo "Enter root's password" > >su -c ./$this_script > >exit > > fi > > > > echo "Hello world" > > echo "Running as $(id -u)" > > -cut here- > > > > You probably need to do something with $PATH to obviate the > > need for the "./" on the su line. > > > > Hi Mark, > > I get it. Fascinating! > > If not root, call myself a second time with "su" > > Thank you! > > -T > smime.p7s Description: S/MIME cryptographic signature
Re: How do I elevate in a script?
The setuid is not honored for shell scripts, try it and you will see. -Mark On 4/30/2014 2:35 AM, Matthieu Guionnet wrote: Hi Todd, why don't you just use setuid ? http://en.wikipedia.org/wiki/Setuid You just change the script owner or group to root. And put the s bit with the chmod command. That's all. Matthieu. Le mardi 29 avril 2014 à 13:22 -0700, ToddAndMargo a écrit : On 04/29/2014 12:37 PM, Mark Whidby wrote: On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote: Hi All, I have a bash script that need to be run as root. In the script, I check to see if it is running as root and flag the user to run appropriately. Is there a way to use "su" to prompt for the password and continue the script if successful? (I would test for $? after the prompt.) Currently "su" will just open a new shell as root. I can run a command inside "su", but what about the other 200 lines of code? :'( An interesting problem :-) Something like this seems to work but I haven't thought through the consequences of it, so be aware: -cut here- #!/bin/sh this_script=$(basename $0) if [ $(id -u) -ne 0 ] then echo "Enter root's password" su -c ./$this_script exit fi echo "Hello world" echo "Running as $(id -u)" -cut here- You probably need to do something with $PATH to obviate the need for the "./" on the su line. Hi Mark, I get it. Fascinating! If not root, call myself a second time with "su" Thank you! -T
Re: How do I elevate in a script?
On Wed, Apr 30, 2014 at 3:35 AM, Matthieu Guionnet wrote: > Hi Todd, > why don't you just use setuid ? > http://en.wikipedia.org/wiki/Setuid Because the kernel does not permit this for scripts. http://www.krenel.org/setuid-and-shell-scripts-explained/ Setuid shell scripts are begging to have environment variables set to abuse their suid privileges. There are *compelling* security reasons not to permit it. > You just change the script owner or group to root. > And put the s bit with the chmod command. > That's all. > > Matthieu. > > Le mardi 29 avril 2014 à 13:22 -0700, ToddAndMargo a écrit : >> On 04/29/2014 12:37 PM, Mark Whidby wrote: >> > On Tue, 2014-04-29 at 12:20 -0700, ToddAndMargo wrote: >> >> Hi All, >> >> >> >> I have a bash script that need to be run as root. >> >> In the script, I check to see if it is running as >> >> root and flag the user to run appropriately. >> >> >> >> Is there a way to use "su" to prompt for the password >> >> and continue the script if successful? (I would test for >> >> $? after the prompt.) >> >> >> >> Currently "su" will just open a new shell as root. >> >> >> >> I can run a command inside "su", but what about the >> >> other 200 lines of code? :'( >> > >> > An interesting problem :-) >> > >> > Something like this seems to work but I haven't thought through >> > the consequences of it, so be aware: >> > >> > -cut here- >> > #!/bin/sh >> > >> > this_script=$(basename $0) >> > >> > if [ $(id -u) -ne 0 ] >> > then >> >echo "Enter root's password" >> >su -c ./$this_script >> >exit >> > fi >> > >> > echo "Hello world" >> > echo "Running as $(id -u)" >> > -cut here- >> > >> > You probably need to do something with $PATH to obviate the >> > need for the "./" on the su line. >> > >> >> Hi Mark, >> >> I get it. Fascinating! >> >> If not root, call myself a second time with "su" >> >> Thank you! >> >> -T >> >
Re: How do I elevate in a script?
On 04/30/2014 12:35 AM, Matthieu Guionnet wrote: Hi Todd, why don't you just use setuid ? http://en.wikipedia.org/wiki/Setuid You just change the script owner or group to root. And put the s bit with the chmod command. That's all. Matthieu. Hi Matthieu, I really, really only want root to be able to run this script. -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: How do I elevate in a script?
On 04/29/2014 10:21 PM, Nico Kadel-Garcia wrote: On Tue, Apr 29, 2014 at 3:20 PM, ToddAndMargo wrote: Hi All, I have a bash script that need to be run as root. In the script, I check to see if it is running as root and flag the user to run appropriately. Is there a way to use "su" to prompt for the password and continue the script if successful? (I would test for $? after the prompt.) Is there any reason not to use "sudo", which has more sophisticated options and can better manage providing root privileges, with or without password authentication, for specific tools? I want the user to either already be root or to be prompted for the root password. I really don't like sudo. Currently "su" will just open a new shell as root. I can run a command inside "su", but what about the other 200 lines of code? :'( Many thanks, -T Put the code that must run as root in one file, which is *run* by a wrapper tool or wrapper script. It all has to be run as root. I like the call myself option with "su" -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: How do I elevate in a script?
It seems to me that having a shell script prompt for the root password is a recipe for disaster, but you can easily check to see if the user is already root, and bail if not. On Wed, Apr 30, 2014 at 10:32 AM, ToddAndMargo wrote: > On 04/29/2014 10:21 PM, Nico Kadel-Garcia wrote: > >> On Tue, Apr 29, 2014 at 3:20 PM, ToddAndMargo >> wrote: >> >>> Hi All, >>> >>> I have a bash script that need to be run as root. >>> In the script, I check to see if it is running as >>> root and flag the user to run appropriately. >>> >>> Is there a way to use "su" to prompt for the password >>> and continue the script if successful? (I would test for >>> $? after the prompt.) >>> >> >> Is there any reason not to use "sudo", which has more sophisticated >> options and can better manage providing root privileges, with or >> without password authentication, for specific tools? >> > > I want the user to either already be root or to > be prompted for the root password. > > I really don't like sudo. > > >> Currently "su" will just open a new shell as root. >>> >>> I can run a command inside "su", but what about the >>> other 200 lines of code? :'( >>> >>> Many thanks, >>> -T >>> >> >> Put the code that must run as root in one file, which is *run* by a >> wrapper tool or wrapper script. >> > > It all has to be run as root. > > I like the call myself option with "su" > > > -T > > > -- > ~~ > Computers are like air conditioners. > They malfunction when you open windows > ~~ > -- -- Jeffrey Anderson| jdander...@lbl.gov Lawrence Berkeley National Laboratory | Office: 50A-5104E | Mailstop 50A-5101 Phone: 510 486-4208 | Fax: 510 486-4204
Re: How do I elevate in a script?
> It seems to me that having a shell script prompt for the root password is a > recipe for disaster, but you can easily check to see if the user is already > root, and bail if not. I've been uneasy with that idea as well, although not to the point of imminent disaster ... Different sites might have different rules for gaining root access. Some might not even permit su and require everything to go through sudo, or some other mechanism, perhaps as part of an auditing/logging process. If it needs to run as root, I would just state that as a requirement, check for that condition, and output a clear error message if it's not met. Sometimes it's possible to "dumb things down" too much. - Bluejay Adametz Matter may be created or destroyed, but it may not be returned without a receipt. -- NOTICE: This message, including any attachments, is only for the use of the intended recipient(s) and may contain confidential and privileged information, or information otherwise protected from disclosure by law. If the reader of this message is not the intended recipient, you are hereby notified that any use, disclosure, copying, dissemination or distribution of this message or any of its attachments is strictly prohibited. If you received this message in error, please contact the sender immediately by reply email and destroy this message, including all attachments, and any copies thereof.
Re: How do I elevate in a script?
On 04/30/2014 10:38 AM, Jeffrey Anderson wrote: It seems to me that having a shell script prompt for the root password is a recipe for disaster, but you can easily check to see if the user is already root, and bail if not. That is what I currently do. I am just wanting to get fancy: if [ -z "`/usr/bin/whoami | grep root`" ]; then echo "" # ErrorSound echo 'Dude! You must be root to do this.' echo "Try" echo "su root -c \"updateffth $1\"" echo 'Exiting. Bummer ...' echo "" Pause exit 1 fi
Re: How do I elevate in a script?
On 04/30/2014 10:55 AM, Bluejay Adametz wrote: It seems to me that having a shell script prompt for the root password is a recipe for disaster, but you can easily check to see if the user is already root, and bail if not. I've been uneasy with that idea as well, although not to the point of imminent disaster ... Different sites might have different rules for gaining root access. Some might not even permit su and require everything to go through sudo, or some other mechanism, perhaps as part of an auditing/logging process. If it needs to run as root, I would just state that as a requirement, check for that condition, and output a clear error message if it's not met. Sometimes it's possible to "dumb things down" too much. - Bluejay Adametz Matter may be created or destroyed, but it may not be returned without a receipt. Hi Bluejay, No root, no shirt, no shoes, no service is the way I wrote it. Maybe not the shirt or shoes. :-) -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~
Re: How do I elevate in a script?
On 2014-04-30 20:02, ToddAndMargo wrote: > On 04/30/2014 10:38 AM, Jeffrey Anderson wrote: >> It seems to me that having a shell script prompt for the root password >> is a recipe for disaster, but you can easily check to see if the user is >> already root, and bail if not. >> > > That is what I currently do. I am just wanting to get fancy: > > if [ -z "`/usr/bin/whoami | grep root`" ]; then >echo "" ># ErrorSound >echo 'Dude! You must be root to do this.' >echo "Try" >echo "su root -c \"updateffth $1\"" >echo 'Exiting. Bummer ...' >echo "" >Pause >exit 1 > fi > sudo has the charm to create log entries, and can be easily automated. What I miss in your example is a syslog call that someone unauthorized tried to execute the script. Also I would replace pause with `sleep $num' or `read -t $num DUMMY' so in case the script is executed by cron it doesn't wait for a signal.
Re: How do I elevate in a script?
On 04/30/2014 11:33 AM, olli hauer wrote: On 2014-04-30 20:02, ToddAndMargo wrote: On 04/30/2014 10:38 AM, Jeffrey Anderson wrote: It seems to me that having a shell script prompt for the root password is a recipe for disaster, but you can easily check to see if the user is already root, and bail if not. That is what I currently do. I am just wanting to get fancy: if [ -z "`/usr/bin/whoami | grep root`" ]; then echo "" # ErrorSound echo 'Dude! You must be root to do this.' echo "Try" echo "su root -c \"updateffth $1\"" echo 'Exiting. Bummer ...' echo "" Pause exit 1 fi sudo has the charm to create log entries, and can be easily automated. I find sudo "annoying". I do use it for some things though. What I miss in your example is a syslog call that someone unauthorized tried to execute the script. I am not sure that is necessary. This is just a script to install new Firefox or Thunderbird binaries, update links, and remove old binaries. $ logger -p user.notice -t test "testing 123" Would do the job. Perhaps after they goofed "su" Maybe ever one to say the job completed. Probably not. You get that when you run the script Also I would replace pause with `sleep $num' or `read -t $num DUMMY' so in case the script is executed by cron it doesn't wait for a signal. You missed "P" in "Pause" Pause () { echo "" read -n 1 -s -p "Press any key to continue..." echo "" } Since this is meant to run from the command line, I am not even sure I need it. Thank you for the tips! -T -- ~~ Computers are like air conditioners. They malfunction when you open windows ~~