The officially official Devuan Forum!

You are not logged in.

#1 2019-07-06 18:44:02

siva
Member
Registered: 2018-01-25
Posts: 207  
Website

Passwordless root execution in scripts

I know what you're thinking, but bear with me.  I'm not sure the best way to phrase the question.  So, please consider the following situation.

I want to run a script with the following conditions:

- The script has to execute a task that only root can perform
- The script can only be executed as a user
- The user cannot be prompted to enter a password
- The user cannot execute the script by logging in as root or using sudo
- The user can log in as root or use sudo to modify permissions
- The commands su or sudo can be used in the script
- visudo cannot be accessed or modified

An example script could look like the following:

#!/bin/sh

tcpdump -h

But, please don't link me to the guides on running tcpdump as non-root.  If it's easier to follow, replace the command with any other app that, by default, requires root.

Alright, here's the section where I explain why I'm asking this.

Simply put, if I've ever had a script that needs to do this, I just do something like sudo tcpdump -h (using the previous example as a reference) and add a line to visudo.  On the other hand, apps like wicd seem to only need group access in order to perform wpasupplicant tasks (wireshark to perform tcpdump, etc).  I'm wondering how these are configured to do so.

I skimmed the wicd source and, maybe I'm looking in the wrong places, but I'm not really finding anything.

Last edited by siva (2019-07-06 18:45:03)


the thomos project
thomos support thread
cynwulf wrote: "You should get some more sleep and spend less time on forums."

Offline

#2 2019-07-06 19:58:54

chris2be8
Member
Registered: 2018-08-11
Posts: 63  

Re: Passwordless root execution in scripts

You can set up entries in /etc/sudoers to let members of a given group (or specific individuals) run specific commands via sudo without asking for a password. See the man page for sudoers for examples (and caveats).

Note that it's often safer to let them run a script you've written as root since the script can do any necessary checks before doing anything dangerous.

Chris

Offline

#3 2019-07-06 20:45:19

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 316  
Website

Re: Passwordless root execution in scripts

siva wrote:

apps like wicd seem to only need group access in order to perform wpasupplicant tasks (wireshark to perform tcpdump, etc).  I'm wondering how these are configured to do so.

The devices are under the ownership of the relevant groups, for example:

E485:~$ find /dev -group netdev
/dev/rfkill
E485:~$ ls -l /dev/rfkill
crw-rw-r-- 1 root netdev 10, 58 Jul  6 20:45 /dev/rfkill
E485:~$

So users in the netdev group can use rfkill(8).


Fabricando fit faber

Offline

Board footer