Bash script as root problem

Bill K. Dengler billkd2008 at gmail.com
Sat Mar 16 22:50:36 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#Less hacky fix
#add to the top of my previous reply
#if the script is supposed to be non interactive, and you are running
it in an environment
#where you know it will never be run with sudo -i or su - or similar
#then this is not required.
echo "in order for this script to work properly, parts of it need to
be run as superuser, and other parts do not."
if [ "$USER" == "root" ]
then
echo "since you have called this script from either \"sudo -i\", \"su
- -\", or by logging in as root, we will need to know the name of a non
root user to run our commands as."
read -p "please enter your username followed by enter" suuser
else
echo "we believe that the correct non superuser to run parts of this
script as is $USER"
read -p "am I correct? y/n" -n 1 yn
if [ "$yn" == "n" ]
then
read -p "then, enter the correct name of the non superuser" suuser
else
suuser=$USER
fi
fi
On 03/16/2013 06:35 PM, William Scott Lockwood III wrote:
> On Sat, Mar 16, 2013 at 5:23 PM, Johnny Rosenberg 
> <gurus.knugum at gmail.com> wrote:
>> 2013/3/16 Amichai Rotman <amichai at iglu.org.il>:
>>> Maybe by tweaking sudo: create a user, add it to sudoers and
>>> allow him to run only the commands you want.
>> 
>> I'm not sure how that is going to solve the problem, but maybe
>> that's because I am not very good at this.
>> 
>> This is what my problem looks like:
>> 
>> MyScript.sh: #!/bin/bash
>> 
>> Command_0 Command_1 Command_2 Command_3 Command_4 Command_5 
>> Command_6 Command_7 Command_8 Command_9 # End of script
>> 
>> Run the script: sudo ./MyScript.sh
>> 
>> Now all of the ten commands runs as root, right? But let's assume
>> that I want Command_7 to run as user. Like this: MyScript.sh: 
>> #!/bin/bash
>> 
>> sudo Command_0 sudo Command_1 sudo Command_2 sudo Command_3 sudo
>> Command_4 sudo Command_5 sudo Command_6 Command_7 sudo Command_8 
>> sudo Command_9 # End of script
>> 
>> Run the script: ./MyScript.sh
>> 
>> I heard somewhere, though, that running commands with sudo in a
>> script is not the recommended way to do it. So I guess I need
>> something like this (written in some kind of pseudo code): 
>> MyScript.sh: #!/bin/bash
>> 
>> Command_0 Command_1 Command_2 Command_3 Command_4 Command_5 
>> Command_6 sudonot Command_7 # don't run this command as root 
>> Command_8 Command_9 # End of script
>> 
>> Run the script: sudo ./MyScript.sh
>> 
>> 
>> Johnny Rosenberg
>> 
>>> 
>>> Amichai.
>>> 
>>> Sent from my Android Smartphone
>>> 
>>> On Mar 16, 2013 11:35 PM, "Johnny Rosenberg"
>>> <gurus.knugum at gmail.com> wrote:
>>>> 
>>>> I have a bash script that I am going to run as root (sudo 
>>>> script_name), but in that script there is a line that I want
>>>> to be executed as a regular user. Is that possible or do I
>>>> need to do it the other way around, that is enter sudo at the
>>>> beginning of every line except the one that I need to be run
>>>> as a user?
>>>> 
>>>> 
>>>> Johnny Rosenberg
>>>> 
>>>> -- ubuntu-users mailing list ubuntu-users at lists.ubuntu.com 
>>>> Modify settings or unsubscribe at: 
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>> 
>>> 
>>> -- ubuntu-users mailing list ubuntu-users at lists.ubuntu.com 
>>> Modify settings or unsubscribe at: 
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>> 
>> 
>> -- ubuntu-users mailing list ubuntu-users at lists.ubuntu.com Modify
>> settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> 
> There is nothing wrong with having sudo in a script. Just make
> sure it's not running as YOU, and that the only things it has
> permission to run with sudo are what you have defined in the
> script, and always call those things by absolute path. So, for
> example if user walle has permissions via sudoers to run
> importantscript1, make sure of two things: That it is specified by
> absolute path in the sudoers file (and that you call it that way),
> and that the script is locked down such that user walle can't edit
> it. Then you can set up cron jobs to allow walle to run certain
> maintenance jobs for you without the risk that an attacker will put
> a script in walle's path before the location of the script, but
> with the same name, who's whole job is the give the attacker
> unrestricted root. Thus, walle can be allowed to run sudo as root
> without a password and without giving away the keys to the box.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJRRPc7AAoJEE15pHlYNXW/DmUQAK4rYb9yE8Q9ESu0el5VgDNA
JELHopMqTwiPJB0y+7Gc1CMtY3Hq+lEOrVqn1UXw2GQ/5Ktpk1gZ0Hah1tNHzyBZ
vKowz4eqxdfmpJZGqktxRLasF/nIwTtIVQWBYvTzty+89PQBFrBs3aZovMFNW8VW
Q48Aotfkrh7lEQXNypRwIxhF+8Gxh2VK7VUoavX4/dAtdp7oymaXBfByuFF/fit2
euIl3mb0RUhjeO0BrOHFAWWlgN+h2ZuFYyw60Ql0kDZXpuwlkX5UoLMVfI2ufqNX
z7HM7dYLnUOSINrAGHENbc7ISRlikXE2NdWfihzxE9JT5G9Zb4XiL5QtPZmHwAq6
P//QN9eM5LCWpv03zjN49fzhvBCelXEYRd0rrJFUIz95lTr8G15AYboyYhrg41qD
/TNwFTAuk9Pva2lx79eb6F+EAKzLnM3Hld33FYEwUEbEflfabJfvl52UZ7IRAKKA
a878J8mhvncWzMweieO3k5DgNUfc3zqxFdKWr3v6/xES3xuS91DRjmIicqhAvVxf
KpWHINcg9BkdSg1XHl7ius+k4qD4Q2nF0g7su23ZK8JkrhJppRYuW7QQKu0UKelO
CCBs08M+aZvuLy3x2STWWkCrFYUZRk1fr4EjdwRv7hMSzsc6G9wnB178TJa6uOTf
MPCNizeU+TngtaG6x8tN
=4Mkz
-----END PGP SIGNATURE-----

More information about the ubuntu-users mailing list