As you may see by the image below, I changed the ownership of my emerald_setupscript to root:root and also set the SUID.
It happens that when I install the gem and check this script, it belongs to edvaldo:edvaldo (my user name) and has no SUID at all!
I don't know exactly what is happening, but this script makes changes to /etc/hosts and also creates some firewall rules. This requires root privileges.
So, my questions are:
What am I missing in this case of the SUID?
How must I proceed to make sure the gem executable will have the SUID set?
Of course I know I could ask the user to run this script using
$ sudo emerald_setup
but this would lead me to another problem, since the gem executable is installed in user space and its location is NOT in superuser's path and setting this (guess what?!) requires superuser privileges.
Any suggestions?
You cannot pack up a program/script with suid privileges in a gem (or even a tarball) and have those privileges be restored when unpacking as a regular user. At some point, whoever installs your gem is going to have supply the password for root access. You could arrange for this to happen when the gem is installed by having the :install target of the gem Rakefile run a script which would prompt the user for su(do) password and then use sudo to run the commands that need to be run as root, though.
Related
I am using MacOS Catelina and i often have to run my terminal stuff with sudo otherwise they fail. like when i use Visual Studio and IONIC to add stuff to global or when it tries to create dir etc.
Is there a way to change the logged in user to run elevated commands in terminal without sudo ?
You either continue using sudo or switch current user to root (it's not a recommended way)
The user account named ”root” is a superuser with read and write
privileges to more areas of the system, including files in other macOS
user accounts. The root user is disabled by default. If you can log in
to your Mac with an administrator account, you can enable the root
user, then log in as the root user to complete your task.
The root user account is not intended for routine use. Its privileges
allow changes to files that are required by your Mac. To undo such
changes, you might need to reinstall your system software. You should
disable the root user after completing your task.
It's safer to use the sudo command in Terminal instead of enabling the
root user. To learn about sudo, open the Terminal app and enter man
sudo.
Taken from https://support.apple.com/en-us/HT204012
Previously I was able to start Meteor 0.6.6.3 by simply running mrt.
Recently, Meteor 0.7.0.1 wont run properly unless I run it as root with sudo mrt. Environmental variables like MONGO_URL requires root to set it.
Any ideas what happened? I'm using Mountain Lion on Mac OSX.
You might have run it with sudo once before. When you run it with sudo just once and a file is written the files become root files root user file so it needs more permissions to run and wont run
ordinarily.
You might have run sudo mrt once it must have updated files for a package but they're now owned by root instead of your normal user.
I'm sure theres a terminal command to get it back but using Disk Utility and running 'Repair Disk Permissions' can also fix it (i think).
BACKGROUND:
I have an application that is freshly deployed every day -- a VM is created, and then root for that system creates a "systemuser", which then installs the application.
It's running:
CentOS 6
RVM
Ruby 1.8.7 on Rails
passenger
The way it's set up, I have to have Ruby on Rails install itself, and install passenger. To this end the user running the service has sudo powers, but the intention is to only allow the commands needed during installation. For security and maintainability reasons we cannot put the sudo password in the script.
my /etc/sudoers includes:
systemuser ALL = NOPASSWD: /usr/bin/env, /bin/bash, /usr/local/rvm/rubies/ruby-1.8.7-p358/bin/gem, /bin/cp, /bin/ln, /bin/mv, /bin/rm, /etc/init.d/httpd *
THE PROBLEM:
Until recently a variant of this worked great. However recently something changed somewhere (?) and the rvmsudo command no longer executes without a password prompt.
$ rvmsudo passenger-install-apache2-module
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for systemuser:
THE QUESTION:
What is the minimal set of commands that should be in /etc/sudoers to install rvm, ruby, bundler/gem, and then passenger2 on apache?
Yes, I've read the "documentation" at https://rvm.io/integration/passenger/
Creative solutions welcomed! I realize one may say this looks like a pretty hacky system, and I'd agree with you. But at the moment it's hard for me to improve it without understanding what commands are being run by this passenger install script.
Removing "env" and "bash" from the front and adding "rvm" gets a little farther:
systemuser ALL = NOPASSWD: /usr/local/rvm/bin/rvmsudo, /usr/local/rvm/gems/ruby-1.8.7-p358/bin/passenger-install-apache2-module, /bin/cp, /bin/ln, /bin/mv, /bin/rm, /etc/init.d/httpd *
running this:
$ rvmsudo passenger-install-apache2-module
[sudo] password for systemuser:
Thanks for your attention!
/usr/bin/env is a router allowing to run any command, the same for /bin/bash, you would have to add which passenger-install-apache2-module instead of them.
I have created the Mac Package in order to install some of my stuff. I have the postflight script that is supposed to copy over some data to /Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/Stationery/Contents/Resources/ - and for reasons mentioned in here: How can I build a Mac package on linux? (BOM file problem) it needs to be postflight script.
However it did not work (it was just downloading a zip file, unpacking it and cp to mentioned location). So I've checked the errors by adding 2> to cp and here's what happened:
cp: /Library/Application Support/Apple/Mail/Stationery/Apple/Contents/Resources/Stationery/Contents/Resources/: Permission denied
I've double check my Info.plist and looks like proper setting is preserved:
<key>IFPkgFlagAuthorizationAction</key>
<string>RootAuthorization</string>
But the script still don't have permissions. I've tried the "whoami" and it returned currently logged in user. What's more curious, the installer ia actually asking for admin authentication. You guys have any ideas what should I do to have this script running as root/admin/whoever with greater permissions?
The fact that the installer is bringing up the admin authentication alert means that the installer is already authenticated (presumably to install files into admin/root-only places).
If I remember correctly, in my own Postflight scripts, I added calls to sudo within the script to do admin/root privileged things. Try that approach and see if it works. I don't know if this is the "best practice" approach though (or maybe it is, since installers can be signed).
I think it's impossible in Lion.Installer of Lion launches scripts from current user.
I am running redmine on Ubuntu, and I am running it using sudo.
If I try to run as my redmine user, I get permission errors on the log file.
Is this safe? Should I be concerned?
You should be careful when running any sort of web application as root. Personally, I would not recommend it.
If permissions problems on the logfile are your only problems, the better solution would be to alter the permissions of the log files/folders. Make sure the log files belong to the user account that Redmine is running as (or have group write permissions and belong to the same group). You might have to use sudo to change those permissions, but it is much safer than running a web application as root.
Any time you run a script using sudo you should be concerned since in effect you are running the script as root. Therefore, to give an extreme example, if the script executes a command similar to rm -rf / you will wipe out the entire system....it's best not to use sudo to execute scripts unless you are completely aware of what the script is doing and any potentially tainted data that is consumed by it!