You can control the file name ordering by using a prefix of 00-99 or aa/bb/cc, though also keep in mind that if you have ANY files that don't have numeric prefix, they will load after the numbered files, overriding the settings. Keep in mind that the ordering of the FILE NAMES and of the RULES within the file is very important, the LAST one loaded wins, whether it is MORE or LESS permissive than the previous entries. If you find yourself creating lots of these sudoers.d files then perhaps you will want to create them named per user so they are easier to visualize. You can run sudo -l to see the permissions that your user has been granted, if any of the user specific NOPASSWD commands appear BEFORE any %groupyouarein ALL=(ALL) ALL command in the output you will be prompted for your password. Then save and exit and visudo will warn you if you have any syntax errors. Myuser ALL= NOPASSWD: /path/to/your/program Sudo visudo -f /etc/sudoers.d/mynotriskycommand You should NEVER grant NOPASSWD on ALL commands. You should also always use visudo to edit the file(s). Ideally if you are customizing what commands can be run via sudo you should be making these changes in a separate file under /etc/sudoers.d/ instead of editing the sudoers file directly. GNU bash, GNU make, GNU gdb, GNOME) are open source : you are allowed to download then study and contribute to their source code. But you could code (in C) a small setuid-binary wrapping it.īe aware that on Linux, application code interact with the Linux kernel using syscalls(2). Notice that a script, or any shebang-ed thing, cannot be setuid. Read many things about setuid, including Advanced Linux Programming, before coding such a thing. You'll use chmod u+s (read chmod(1)) when installing such a binary. However, be very careful, you could open a huge security hole.Ĭoncretely, your program should be paranoically coded (so check all arguments and the environment and outside conditions before "acting", assuming a potentially hostile user), then you could use seteuid(2) and friends (see also setreuid(2)) carefully (see also capabilities(7) & credentials(7) & execve(2).) that you have compiled into ELF binary from some C source code) -which is not a script- as root, you might consider making it setuid (and actually /bin/login, /usr/bin/sudo and /bin/su and super are all using that technique). If you want to run some binary executable (e.g. This will run the commands inside the script file without asking for a password.Īnother possibility might be to install, configure, then use the super command to run your script as super /path/to/your/script Now when running the command add sudo before it like: sudo. Replace ahmad with whatever your username is. Open the sudoers file: sudo visudo -f /etc/sudoersĪdd the following line at the end: ahmad ALL=(root) NOPASSWD: /home/ahmad/create_dir.sh Make changes so that this script doesn’t require a password. Save and exit (using :wq!)Īssign execute permissions to it using: sudo chmod u+x create_dir.sh The script will be created in the user’s home directoryĪdd some commands that only a root or sudo user can execute like creating a folder at the root directory level: mkdir /abc See comments belowĬomplete Solution: The following steps will help you achieve the desired output:Ĭreate a new script file (replace create_dir.sh with your desired script name): vim ~/create_dir.sh WARNING: This answer has been deemed insecure. Make sure that you have Defaults env_reset in /etc/sudoers or that this option is the compile-time default ( sudo sudo -V | grep env should include Reset the environment to a default set of variables). Note for readers who aren't running Ubuntu or who have changed the default sudo configuration (Ubuntu's sudo is ok by default): Running shell scripts with elevated privileges is risky, you need to start from a clean environment (once the shell has started, it's too late (see Allow setuid on shell scripts), so you need sudo to take care of that). (Don't give more permissions than the minimum required unless you've thought out the implications.) Note the use of (root), to allow the program to be run as root but not as other users. Myusername ALL = (root) NOPASSWD: /path/to/my/program Therefore, if you can execute any command with a password prompt, and you want to be able to execute a particular command without a password prompt, you need the exception last. If there are multiple matching entries in /etc/sudoers, sudo uses the last one.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |