disallowing root to run a script - Unix

This is a discussion on disallowing root to run a script - Unix ; Hello, This may sound silly, but I have a script that should be run as another user. And I dont want people logging into the box as root and running it accidentely. Is there a way to put permissions on ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: disallowing root to run a script

  1. disallowing root to run a script

    Hello,
    This may sound silly, but I have a script that should be run as another
    user. And I dont want people logging into the box as root and running
    it accidentely.
    Is there a way to put permissions on a script so root cannot run it but
    another user can? I have tried all combinations but root can always
    still run it.

    Thanks


  2. Re: disallowing root to run a script

    On 29 Jun 2005 10:18:17 -0700, cconnell_1@lycos.com wrote:
    > Hello,
    > This may sound silly, but I have a script that should be run as another
    > user. And I dont want people logging into the box as root and running
    > it accidentely.


    Put a test for user's real id and exit if root.

    man id

  3. Re: disallowing root to run a script

    Begin <1120065496.979573.268470@g49g2000cwa.googlegroups. com>
    On 2005-06-29, cconnell_1@lycos.com wrote:
    > Hello,
    > This may sound silly, but I have a script that should be run as another
    > user. And I dont want people logging into the box as root and running
    > it accidentely.


    People should not login as root uless they know what they can and cannot
    do, and even then only with the utmost care. That is the first issue.

    The second is that the actual check for effective uid is pretty
    simple, but as root one can do anything, so one can override that
    all pretty easily unless you code it in C and not a script.


    > Is there a way to put permissions on a script so root cannot run it but
    > another user can? I have tried all combinations but root can always
    > still run it.


    That's the point of being root, no?


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .

  4. Re: disallowing root to run a script

    cconnell_1@lycos.com wrote:
    > Hello,
    > This may sound silly, but I have a script that should be run as another
    > user. And I dont want people logging into the box as root and running
    > it accidentely.
    > Is there a way to put permissions on a script so root cannot run it but
    > another user can? I have tried all combinations but root can always
    > still run it.
    >
    > Thanks
    >


    Why not assign the permissions to that user only? Root can run it so you
    don't have to worry about it.

    chown username file.format

    -stackheap

  5. Re: disallowing root to run a script

    wrote:
    >This may sound silly, but I have a script that should be run as another
    >user.


    Meaning set-uid? Or just that it should be run as any user but root?

    >And I dont want people logging into the box as root and running
    >it accidentely.


    If you have people logging in as root and accidentally running things, you're
    in for trouble.

    >Is there a way to put permissions on a script so root cannot run it but
    >another user can? I have tried all combinations but root can always
    >still run it.


    Put a check inside the script (see the "id" command) that makes it print an
    error and exit if run by root.
    --
    Mark Rafn dagon@dagon.net

  6. Re: disallowing root to run a script



    Mark Rafn wrote:
    > wrote:
    > >This may sound silly, but I have a script that should be run as another
    > >user.

    >
    > Meaning set-uid? Or just that it should be run as any user but root?
    >
    > >And I dont want people logging into the box as root and running
    > >it accidentely.

    >
    > If you have people logging in as root and accidentally running things, you're
    > in for trouble.
    >
    > >Is there a way to put permissions on a script so root cannot run it but
    > >another user can? I have tried all combinations but root can always
    > >still run it.

    >
    > Put a check inside the script (see the "id" command) that makes it print an
    > error and exit if run by root.
    > --
    > Mark Rafn dagon@dagon.net


    Thanks for the suggestions. I will look at modifying the script to
    return the message if run as root and also to put a chown command in
    there somewhere to set proper file ownership. On another note, with
    setuid, I always thought it lets a user run a script with root
    permissions as though root is running it, is there an opposite, i.e. if
    root runs the script, then it will be executed as though the other user
    runs it?
    One of the problems is that when the script is run as root, it creates
    files which are naturally owned by root, then deletes them. When the
    script is run by the user it is supposed to be run as, there is a
    permissions error when the script runs.


  7. Re: disallowing root to run a script

    wrote:
    >On another note, with setuid, I always thought it lets a user run a script
    >with root permissions as though root is running it,


    That's the most common use (except it doesn't work on most scripts, it works
    only on binaries or scripts whose processor directly supports suid usage (perl
    is the only common one I know that does this).

    However what it really does is to make the process run as if the owner of the
    program had run it. That owner does not have to be root.

    >root runs the script, then it will be executed as though the other user
    >runs it?


    Yup, if it's owned by "apache" and suid (and a program, not a shell script),
    then it will execute as "apache" even if it's root who starts it.

    >One of the problems is that when the script is run as root, it creates
    >files which are naturally owned by root, then deletes them. When the
    >script is run by the user it is supposed to be run as, there is a
    >permissions error when the script runs.


    One good way to handle this is to write the program such that it doesn't
    matter who's running it. Create a unique temporary directory for tempfiles,
    so multiple invocations won't step on each other. User-specific files go in
    $HOME, so multiple users won't step on each other. Shared files should
    be created with appropriate permissions that it doesn't matter who owns them.
    --
    Mark Rafn dagon@dagon.net

  8. Re: disallowing root to run a script

    Simple enough-

    Set this:
    USERID=`who am i | cut -d" " -f1`

    Then, this, at the head of your script(s).
    if [ "$USERID" = "root" ]
    then
    echo "\n"
    echo "You can not run this script as 'root'."
    echo "\n"
    exit
    fi


  9. Re: disallowing root to run a script

    Knox@XPD8 wrote:
    >
    > Simple enough-
    >
    > Set this:
    > USERID=`who am i | cut -d" " -f1`
    >
    > Then, this, at the head of your script(s).
    > if [ "$USERID" = "root" ]
    > then
    > echo "\n"
    > echo "You can not run this script as 'root'."
    > echo "\n"
    > exit
    > fi


    Root is not always the only UID with 0. Better
    to use "id -u", store that into a variable, and
    compare numerically against 0.

    Even more fancy, bracket in some code that
    forbids interupting out.


  10. Re: disallowing root to run a script

    Good point, and thank you Doug. When I was just 'babbling' the code,
    did not take into account that root is not always the 1st (or 0) user
    id.


  11. Re: disallowing root to run a script

    On 2005-07-07, Doug Freyburger wrote:
    > Knox@XPD8 wrote:
    >>
    >> Simple enough-
    >>
    >> Set this:
    >> USERID=`who am i | cut -d" " -f1`
    >>
    >> Then, this, at the head of your script(s).
    >> if [ "$USERID" = "root" ]
    >> then
    >> echo "\n"
    >> echo "You can not run this script as 'root'."
    >> echo "\n"
    >> exit
    >> fi

    >
    > Root is not always the only UID with 0. Better
    > to use "id -u", store that into a variable, and
    > compare numerically against 0.


    Any user with UID == 0 is, to all intents and purposes, root.

    The result of "id -u" will be the same for all of them (obviously,
    it is going to be 0).

    --
    Chris F.A. Johnson
    ================================================== ================
    Shell Scripting Recipes: A Problem-Solution Approach, 2005, Apress


+ Reply to Thread