running script with sudo permission

Support for security such as Firewalls and securing linux
Post Reply
knzzz
Posts: 149
Joined: 2017/02/25 12:41:42

running script with sudo permission

Post by knzzz » 2019/11/21 13:54:36

Hi All,

I want to run a script with sudo perimission to non admin user can any one assist on this

Regards
Kanna

User avatar
Errosion
Posts: 38
Joined: 2014/12/03 19:58:02

Re: running script with sudo permission

Post by Errosion » 2019/11/21 15:07:20

Just to clarify.

You want a non-admin user to be able to run a script utilizing sudo permissions?

knzzz
Posts: 149
Joined: 2017/02/25 12:41:42

Re: running script with sudo permission

Post by knzzz » 2019/11/21 23:53:52

Yes , provided with that sudo permission that non admin should run only that script with elevated access

User avatar
jlehtone
Posts: 3020
Joined: 2007/12/11 08:17:33
Location: Finland

Re: running script with sudo permission

Post by jlehtone » 2019/11/22 20:30:09

A sudo rule says:
* who can
* as which user
* run what command

Members of group wheel can impersonate anyone and run all possible commands.
You have to add a rule, where the only valid command is your script.

MartinR
Posts: 596
Joined: 2015/05/11 07:53:27
Location: UK

Re: running script with sudo permission

Post by MartinR » 2019/11/23 15:49:31

Best to have a read of sudoers(5) §Security Notes. There are a lot of pitfalls in allowing script to be run at elevated privilege and if you get it wrong then a knowledgeable user can escalate privileges all the way to root.

aks
Posts: 3020
Joined: 2014/09/20 11:22:14

Re: running script with sudo permission

Post by aks » 2019/11/25 18:42:29

Add an sudoers entry in /etc/sudoers.d/ and specify the script ONLY as the thing to allow (i.e.: the command).

kauer
Posts: 16
Joined: 2020/05/03 07:47:30

Re: running script with sudo permission

Post by kauer » 2020/05/03 08:48:00

The biggest pitfall of all is leaving the script so that non-root users can change it.

Make sure it is executable only by root. Make sure it is writeable only by root. Preferably make it READABLE only by root. Specify absolute paths to every executable used within the script. If the script takes parameters, sanitise them thoroughly. Check the enclosing directory's permissions too, to make sure no-one can delete and replace the script. If the script calls other scripts, make sure they are protected at least as well as the main script.

Then when you've done all that - don't let non-root users run the script :-)

Regards, K.

Post Reply

Return to “CentOS 8 - Security Support”