Professional Web Applications Themes

disallowing root to run a script - Linux / Unix Administration

Hello, This may sound silly, but I have a script that should be run as another user. And I dont want people logging into the box as root and running it accidentely. Is there a way to put permissions on a script so root cannot run it but another user can? I have tried all combinations but root can always still run it. Thanks...

  1. #1

    Default disallowing root to run a script

    Hello,
    This may sound silly, but I have a script that should be run as another
    user. And I dont want people logging into the box as root and running
    it accidentely.
    Is there a way to put permissions on a script so root cannot run it but
    another user can? I have tried all combinations but root can always
    still run it.

    Thanks

    cconnell_1@lycos.com Guest

  2. #2

    Default Re: disallowing root to run a script

    On 29 Jun 2005 10:18:17 -0700, com wrote: 

    Put a test for user's real id and exit if root.

    man id
    Bit Guest

  3. #3

    Default Re: disallowing root to run a script

    Begin <googlegroups.com>
    On 2005-06-29, com <com> wrote: 

    People should not login as root uless they know what they can and cannot
    do, and even then only with the utmost care. That is the first issue.

    The second is that the actual check for effective uid is pretty
    simple, but as root one can do anything, so one can override that
    all pretty easily unless you code it in C and not a script.

     

    That's the point of being root, no?


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    jpd Guest

  4. #4

    Default Re: disallowing root to run a script

    com wrote: 

    Why not assign the permissions to that user only? Root can run it so you
    don't have to worry about it.

    chown username file.format

    -stackheap
    stackheap Guest

  5. #5

    Default Re: disallowing root to run a script

    <com> wrote: 

    Meaning set-uid? Or just that it should be run as any user but root?
     

    If you have people logging in as root and accidentally running things, you're
    in for trouble.
     

    Put a check inside the script (see the "id" command) that makes it print an
    error and exit if run by root.
    --
    Mark Rafn net <http://www.dagon.net/>
    Mark Guest

  6. #6

    Default Re: disallowing root to run a script



    Mark Rafn wrote: 
    >
    > Meaning set-uid? Or just that it should be run as any user but root?

    >
    > If you have people logging in as root and accidentally running things, you're
    > in for trouble.

    >
    > Put a check inside the script (see the "id" command) that makes it print an
    > error and exit if run by root.
    > --
    > Mark Rafn net <http://www.dagon.net/>[/ref]

    Thanks for the suggestions. I will look at modifying the script to
    return the message if run as root and also to put a chown command in
    there somewhere to set proper file ownership. On another note, with
    setuid, I always thought it lets a user run a script with root
    permissions as though root is running it, is there an opposite, i.e. if
    root runs the script, then it will be executed as though the other user
    runs it?
    One of the problems is that when the script is run as root, it creates
    files which are naturally owned by root, then deletes them. When the
    script is run by the user it is supposed to be run as, there is a
    permissions error when the script runs.

    cconnell_1@lycos.com Guest

  7. #7

    Default Re: disallowing root to run a script

    On 30 Jun 2005 01:02:14 -0700, com
    <com> wrote: 
    Setuid usually doesn't work with scripts, but a setuid program runs as
    its owner, which is usually root.


    --
    Tonight you will pay the wages of sin; Don't forget to leave a tip.
    Bill Guest

  8. #8

    Default Re: disallowing root to run a script

    <com> wrote: 

    That's the most common use (except it doesn't work on most scripts, it works
    only on binaries or scripts whose processor directly supports suid usage (perl
    is the only common one I know that does this).

    However what it really does is to make the process run as if the owner of the
    program had run it. That owner does not have to be root.
     

    Yup, if it's owned by "apache" and suid (and a program, not a shell script),
    then it will execute as "apache" even if it's root who starts it.
     

    One good way to handle this is to write the program such that it doesn't
    matter who's running it. Create a unique temporary directory for tempfiles,
    so multiple invocations won't step on each other. User-specific files go in
    $HOME, so multiple users won't step on each other. Shared files should
    be created with appropriate permissions that it doesn't matter who owns them.
    --
    Mark Rafn net <http://www.dagon.net/>
    Mark Guest

  9. #9

    Default Re: disallowing root to run a script

    Simple enough-

    Set this:
    USERID=`who am i | cut -d" " -f1`

    Then, this, at the head of your script(s).
    if [ "$USERID" = "root" ]
    then
    echo "\n"
    echo "You can not run this script as 'root'."
    echo "\n"
    exit
    fi

    Knox@XPD8 Guest

  10. #10

    Default Re: disallowing root to run a script

    KnoxXPD8 wrote: 

    Root is not always the only UID with 0. Better
    to use "id -u", store that into a variable, and
    compare numerically against 0.

    Even more fancy, bracket in some code that
    forbids interupting out.

    Doug Guest

  11. #11

    Default Re: disallowing root to run a script

    Good point, and thank you Doug. When I was just 'babbling' the code,
    did not take into account that root is not always the 1st (or 0) user
    id.

    Knox@XPD8 Guest

  12. #12

    Default Re: disallowing root to run a script

    On 2005-07-07, Doug Freyburger wrote: 
    >
    > Root is not always the only UID with 0. Better
    > to use "id -u", store that into a variable, and
    > compare numerically against 0.[/ref]

    Any user with UID == 0 is, to all intents and purposes, root.

    The result of "id -u" will be the same for all of them (obviously,
    it is going to be 0).

    --
    Chris F.A. Johnson <http://cfaj.freeshell.org>
    ================================================== ================
    Shell Scripting Recipes: A Problem-Solution Approach, 2005, Apress
    <http://www.torfree.net/~chris/books/cfaj/ssr.html>
    Chris Guest

Similar Threads

  1. A startup script with root permissions?
    By Toby Newman in forum Ubuntu
    Replies: 8
    Last Post: January 3rd, 01:26 PM
  2. Perl script to switch user to root.
    By Silky in forum PERL Beginners
    Replies: 3
    Last Post: March 5th, 09:46 AM
  3. mod_perl script run from root URI
    By r.daneel in forum PERL Modules
    Replies: 0
    Last Post: February 25th, 10:55 PM
  4. Replies: 4
    Last Post: July 17th, 09:24 AM
  5. perl script generates sendmail NOQUEUE: connect from rootlocalhost
    By Jhary-a-Conel in forum PERL Miscellaneous
    Replies: 2
    Last Post: July 3rd, 11:27 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139