29

How to make a script execute as root, no matter who executes it?

I read about setuid but I'm not sure how to do this.

I'm using Linux, Ubuntu 12.04 LTS.

Deltik
  • 19,353
  • 17
  • 73
  • 114
HappyDeveloper
  • 1,513
  • 8
  • 19
  • 34
  • Which Linux distribution are you on? Or Unix, even? – slhck Jun 22 '12 at 19:40
  • @slhck Linux, Ubuntu 12 – HappyDeveloper Jun 22 '12 at 19:41
  • 3
    `setuid` won't work on scripts — it's disabled for security reasons on most *nix distributions these days. You can set it, but it'll be ignored. Maybe you can explain more about your actual problem so we can help you solve this instead? What script is it? Why do you need it to be executed as root? Is using `sudo` an alternative? – slhck Jun 22 '12 at 19:45
  • Have you tried `sudo -s`? – Nam Phung Jun 22 '12 at 20:05

4 Answers4

31

Be really careful: scripts combined with setuid are dangerous!

First, please have a look on this question/answers, especially on this answer and security warning.

If you still want to execute your script with setuid set, then you can write a short C program as wrapper and set the setuid bit on the compiled binary.

Wrapper example:

int main(void) {        
    setuid(0);
    clearenv();
    system("/absolute/path/to/your/script.sh");
}

Another solution using sudo (mentioned here):

  1. As root, prevent write (and maybe other) access to your script:

    chown root /absolute/path/to/your/script.sh
chmod 700 /absolute/path/to/your/script.sh

  2. Verify that noone except root can replace the script, e.g. by modifying the access rights of the parent folder:

    chown root /absolute/path/to/your/
chmod 755 /absolute/path/to/your/

  3. Modify sudo access rights in /etc/sudoers with visudo:

    ALL    ALL = (root) NOPASSWD: /absolute/path/to/your/script.sh

    More details about the settings (e.g. restricting access to specific users or groups) can be found in the sudoers manpage.

Afterwards, all users can run the script as root without password:

sudo /absolute/path/to/your/script.sh

This is similar to using the wrapper/setuid solution above.

Community
  • 1
speakr
  • 3,807
  • 23
  • 22
  • 3
    The specific dangers aren't very obvious, but they revolve heavily around the environment. Unlike most programs, a shell script's behavior can be changed significantly by dozens of environment variables, enough so that without extensive safeguards, such a script can easily be tricked into executing arbitrary code. – Stephanie Jun 22 '12 at 21:20
  • 1
    You should add a call to clearenv() before the system call in that wrapper, completely blowing away the environment so that no evil settings are around to manipulate the script. http://www.kernel.org/doc/man-pages/online/pages/man3/clearenv.3.html – Stephanie Jun 22 '12 at 21:27
  • @Stephanie I must be doing something wrong, because all this looks too crazy for a common task. This is what I'm trying to do: http://serverfault.com/questions/401405/how-to-activate-iptables-after-connecting-to-vpn – HappyDeveloper Jun 22 '12 at 21:29
  • @HappyDeveloper Not too crazy for a setuid script, since a poorly secured one is a path to root for anyone that manages to run it. – Stephanie Jun 22 '12 at 21:32
  • 4
    `sudo` can be used to give all users access to a particular program (or script). In that sense, it acts as a fancy setuid wrapper. It seems like that would typically be a better choice than writing your own setuid wrapper. – jjlin Jun 22 '12 at 21:52
  • I used the first solution (setuid), because I need it to be executed automatically after logging in, without asking for a password. And I don't like removing the password from sudo. Also, I might need that the script be executed by non sudoers – HappyDeveloper Jun 22 '12 at 23:38
  • @HappyDeveloper You are just removing the sudo password when used with _that specific script_. Other commands are not affected. Also, you can specify _ALL_ as user alias to allow all users access to run the script. I modified my answer accordingly. – speakr Jun 23 '12 at 10:25
  • @speakr It seems not work on Ubuntu. `setuid(0)` returns -1. – John Feb 07 '21 at 08:32
  • @John I just tried it on Ubuntu and it works as expected. Did you set the setuid bit on the binary and did you chown the binary to root? – speakr Feb 08 '21 at 17:11
4

Easiest and safest way is to use SETUID bits in file permissions. that way command permissions will be elevated to file owner permissions.

to prevent script from edition do not set write for everyone bits.

Tadas
  • 41
  • 1
0

I don't know if this may be useful but, to make the script only run as root, you could use this shebang on the first line of the script:

#!/bin/su root
alexandre1985
  • 163
  • 8
0

Stumbled across this question when I was searching for a snippet like this:

[ "$(id -u)" != 0 ] && exec sudo "$0"

Adding this to the top of a script will preface it with sudo and ensure it'll always run as root, allowing us to run our script as ./hello.sh. Of course, sudo will still ask for a password, but the accepted answer will help avoid that.

Andrey Kaipov
  • 101
  • 1