Auto start of a shell script implementing sudo

Topic: Auto start of a shell script implementing sudo (Read 911 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Auto start of a shell script implementing sudo

19 May 2022, 22:01:03

On XFCE, how can auto run in Session & Start to work for a shell script use sudo as required by an executable ?

The executable requiring root privilege to correctly accomplish the job and the need is to implement as auto start in such
Any idea to the correct solution?

Re: Auto start of a shell script implementing sudo

Reply #1 – 20 May 2022, 04:38:18

Just set your sudo permissions to not require a password for the specific programs you need sudo for in this script?

Re: Auto start of a shell script implementing sudo

Reply #2 – 20 May 2022, 06:15:20

How ?

Re: Auto start of a shell script implementing sudo

Reply #3 – 20 May 2022, 09:18:49

Quote from: mardiyah – on 20 May 2022, 06:15:20

How ?

Edit /etc/sudoers via the visudo command. But this is the least secure solution.

But your task can be accomplished easier. Just add your startup script as a service (or rather one-shot init script) using your init system of choice. Those startup scripts run with root privileges by default. In this case, your script will be executed before you log into XFCE, of course. This solution is quite secure.

Another solution, put your script somewhere into /bin, chown it to root and set the setuid flag for the file. It will be executed with root privileges. This is a less secure solution, though, but the easiest one.

The third variant, think about the reason why you need root privileges for a startup script in your DE and try to accomplish the task without escalating privileges. Make your script work with files owned by your unprivileged user. This is the most secure variant.

Re: Auto start of a shell script implementing sudo

Reply #4 – 21 May 2022, 16:02:16

What @VictorBrand said, although setuid shell scripts don't work since many years. Put an entry in /etc/sudoers (with visudo) like this

Code: [Select]

mardiyah ALL=NOPASSWD: /usr/local/bin/script.sh

Depending on your setup, you might be able to make it work with pkexec.

Re: Auto start of a shell script implementing sudo

Reply #5 – 21 May 2022, 18:12:56

For openRC, the README explains:

Code: [Select]

/etc/local.d/README
$ cat /etc/local.d/test1.start 
#!/bin/bash
(command to be run as root) &
exit 0

You might not want the & or exit 0, that's only an example. You should make it executable with chmod. You could include a time delay in a script or wait by looping over a sleep until some file or service exists if it has to run after something else, like when the desktop has started.

Code: [Select]

/usr/local/bin$ sudo chmod a+xs myscript
/usr/local/bin$ cat myscript 
#!/bin/bash
sudo ls -a /root

setuid works but only on the script, not on binaries called by the script, so with sudo it works in the above test but not without, on my system anyway, I expect that behaviour can be configured somewhere. Usually setuid is discouraged if another method can be used instead as it can potentially be exploited I've read, however there are several red entries in my /bin from official packages so it must still have it's uses.

Re: Auto start of a shell script implementing sudo

Reply #6 – 21 May 2022, 21:21:29

Quote from: nous – on 21 May 2022, 16:02:16

although setuid shell scripts don't work since many years.

Wow, didn't know that. Thank you for the input!

Re: Auto start of a shell script implementing sudo

Reply #7 – 22 May 2022, 03:55:23

suid doesn't work if you mount a filesystem with the nosuid mount option. I think there was some talk of getting rid of it a few years ago but I expect some of the vulnerabilities were mitigated instead.

Re: Auto start of a shell script implementing sudo

Reply #8 – 22 May 2022, 04:08:11

Quote from: ####### – on 22 May 2022, 03:55:23

suid doesn't work if you mount a filesystem with the nosuid mount option.

Yeah, that's obvious. But the filesystem where /bin is located cannot be mounted with nosuid option for obvious reasons as well

Quote from: ####### – on 22 May 2022, 03:55:23

I think there was some talk of getting rid of it a few years ago but I expect some of the vulnerabilities were mitigated instead.

It's hard to imagine how we can get rid of the setuid flag. How would you change your password as a nonprivileged user in that case, for example? Setuid was present in UNIX since early 1970s, and it belongs to the core principles of its architecture. But yes, this is a potential vulnerability, and setuid executables should be used as sparsely as possible.

Re: Auto start of a shell script implementing sudo

Reply #9 – 22 May 2022, 16:21:43

https://stackoverflow.com/questions/60821695/why-many-linux-distros-use-setuid-instead-of-capabilities
Searching for the term : setuid setcap
brings up lots of results about this. The "modern" way although it has been around a long while now is to use setcap capabilities instead which offer a more fine grained permission control system and prevents a lot of the potential setuid exploits but it hasn't been universally adopted. I'd read a bit about this before but not given it much thought lately, hence checking to see if setuid still worked or if it had gone without me noticing!