I wrote a small bash script to test suid permission
$ cat phone.sh
#!/bin/sh
echo "abc" >> out.txt
$ ls -l out.txt phone.sh
-rw-r--r-- root wzj ... out.txt
-rwsr-xr-x root wzj ... phone.sh
$ ./phone.sh
./phone.sh: 2: cannot create out.txt: Permission denied
why? I thought I already set the suid permission , so i can run the phone.sh with root privilege to modify the out.txt file , but i just failed. Can anybody tell me where i did wrong please?
Most *nix OSes don't allow scripts to utilize SUID. Check out Vidar's blog entry on the subject. Perl scripts can use SUID, but as Vidar explains, it's due to how Perl is implemented. It appears Bash scripts simply won't run with SUID. Sorry I don't have a more useful answer for you, it looks like this is just "how things are".
Related
I am running a bash script and these commands in the script will not work without sudo in front of them. The script.sh is located in a folder such as /jobs/script.sh
Example of commands I am trying to run in the script.sh -
mv /var/app/myapp /var/app/myapp.old
rm file.tar.gz
tar -xzf /home/ubuntu/file.tar.gz -C /var/app/
All the above work if I add sudo in front of them.
I am trying to figure out what permissions are required for them to work without adding sudo in the script.
I have tried giving the script.sh rwx permissions and changing owner to root.
I'm learning permissions in linux, so I'm new to this. Basically what permission should the script.sh have so that I dont have to use sudo in the bash file? Any insight would greatly help.
When you run sudo <some command>, then <some command> is run by the root user (Super user do). The reason you might need to run any command using sudo is because the permissions on the files that command reads/writes/executes are such that only the "Super user" (root) has that permission.
When executing the command mv fileA fileB, the executing user would need:
Write permission to fileB if fileB already existed
Write permission to the directory containing fileB
From what you said it’s most likely you want read and write permissions you can achieve this with chmod
Chmod +[permission] filename
(+ is used to add permission you can also use - instead to remove it)
Where permissions can be:
r —> read
w—> write
x —>excecute
... and more
FOR EXAMPLE: it seems you write permissions for the first file so :
chmod +w /var/app/myapp
Will fix problem
I've created a simple bash script that grabs some data and then outputs it to a log file. When I run the script without sudo it fails to write to the logs and says they are write-protected. It then ask me if it should unwrite-protect them, but this fails (permission denied).
If I run the script as sudo it appears to work without issue. How can I set these log file to be available to the script?
cd /home/pi/scripts/powermonitor/
python /home/pi/powermonitor/plugpower.py > plug.log
echo -e "$(sed '1d' /home/pi/scripts/powermonitor/plug.log)\n" > plug.log
sed 's/^.\{139\}//' plug.log > plug1.log
rm plug.log
grep -o -E '[0-9]+' plug1.log > plug.log
rm plug1.log
sed -n '1p' plug.log > plug1.log
rm plug.log
perl -pe '
I was being dumb. I just needed to set the write permissions on the log files.
The ability to write a file depends on the file permissions that have been assigned to that file or, if the file does not exist but you want to create a new file, then the permissions on the directory in which you want to write the file. If you use sudo, then you are temporarily becoming the root user, and the root user can read/write/execute any file at all without restriction.
If you run your script first using sudo and the script ends up creating a file, that file is probably going to be owned by the root user and will not be writable by your typical user. If you run your script without using sudo, then it's going to run under the username you used to connect to the machine and that user will need to have permission to write the log files.
You can change the ownership and permissions of directories and files by using the chown, chmod, chgrp commands. If you want to always run your script as sudo, then you don't have much to worry about. If you want to run these commands without sudo, that means you're running them as some other user and you will need to grant write permission to that user, whoever it is, in order to write the files/folders where the log files get written.
For instance, if I wanted to run the script as user sneakyimp and wanted the files written to /home/sneakyimp/logs/ then I'd need to make sure that directory was writable by sneakyimp:
sudo chown -R sneakyimp:sneakyimp /home/sneakyimp/logs
This command changes ownership of that directory and its contents to the user sneakyimp. You might also need to run some chmod commands to make sure they are writable by owner.
I want to allow users to execute a bash script that contains sensitive data. Thus, I don't want them to have reading permissions. A 'direct' solution seems to be impossible, but I may have found a workaround in the expect man page:
Create the Expect script (that contains the secret data) as usual.
Make its permissions be 750 (-rwxr-x---) and owned by a trusted group,
i.e., a group which is allowed to read it. If necessary, create a new
group for this purpose. Next, create a /bin/sh script with permissions
2751 (-rwxr-s--x) owned by the same group as before.
I've tried to replicate this as follows:
In a folder, I have two scripts:
script.sh:
#!/bin/sh
echo "targetscript echo"
runscript.sh:
#!/bin/sh
echo "runscript echo"
groups
./script.sh
I gave them the rights as suggested in the man page:
groupadd scriptrunner
chown {myusername}:scriptrunner runscript.sh
chmod 2751 runscript.sh
chown root:scriptrunner script.sh
chmod 750 script.sh
The output of ls -l appears to be alright:
-rwxr-s--x. 1 {myusername} scriptrunner 51 Aug 25 13:04 runscript.sh
-rwxr-x---. 1 root scriptrunner 35 Aug 25 13:01 script.sh
However, when I run ./runscript.sh without root, I get the following error:
runscript echo
{myusername} wheel
./runscript.sh: line 4: ./script.sh: Permission denied
I don't know what went wrong. Can anyone help me?
I'll go back to the root problem as I think it's easier to solve without the expect hack.
So, what you need is having the execute permission on your script but not the reading permission. That is only possible for binaries (i.e. not interpreted scripts)- see details here https://unix.stackexchange.com/questions/34202/can-a-script-be-executable-but-not-readable
So maybe you'll be better off by first compiling your bash script into a binary (with shc - see here https://unix.stackexchange.com/questions/64762/how-to-convert-a-shell-script-into-a-binary-executable) and then set the execute only permission on the binary. Afterwards your users should be able to execute (but not read) the binary.
I have a minor complex command using a pipe
python3 wlan.py -p taken | awk '{$10 = sprintf( "%.1f", $10 / 60); print $4 $6 $8 $10 ",min"}' | awk '{gsub(/,/," ");print}' >> /tmp/missed.log
and I get a permission error if this command is executed from a program but not from the command line (sudo). So, obviously there is an issue with the rights of the program. I have set the rights of python and awk to 777 to no avail. But the main question is: What are the rights of the >> command and how can I change them?
the error message is "writing missed.log - permission denied".
File access in a Unix-like environment is tied to who you are, not what programs you run.* When you run sudo python3 ..., you are changing who you are to a more privileged user for the duration of the python3 command. Once Python stops running, you are back to your normal self. Imagine that sudo is Clark Kent taking off his glasses and putting on his cape. Once the badguys have been defeated, Superman goes back to an ordinary Joe.
Your error message indicates your normal user account does not have the necessary permissions to access / and /tmp, and to write /tmp/missed.log. The permissions on wlan.py and /usr/bin/python3 aren't the issue here. I can think of four options (best to worst):
Put the output file somewhere other than in /tmp. You should always be able to write your home directory, so you should be able to run without sudo, with > ~/missed.log instead of > /tmp/missed.log.
When you run your pipeline "from a program," as you said, just include the sudo as if you were running it from the command line. That way you get consistent results.
Add yourself to the group owning /tmp. Do stat -c '%G' /tmp. That will tell you which group owns /tmp. Then, if that group is not root, do usermod -a -G <that group name> <your username>.
Change the permissions on /tmp. This is the bludgeon: possible, but not recommended. sudo rm -f /tmp/missed.log and sudo chmod o+rwx /tmp should make it work, but may open other vulnerabilities you don't want.
* Ignoring setuid, which doesn't seem to be the case here.
I was trying the below program,
This is a simple script, to cd into a folder
#! /bin/bash
cd /root/
But this below command , doesnt get into the folder
EDITED
#!/bin/bash
alias ex="cd /fs/fm"
alias ex1="source setenv"
alias ex2="cd /fs/fm/tests"
alias ex3="runtest"
To get into /root/ you should make sure that you have permissions. It's accessible if you're running as root itself but if you're running as a normal user you should consider becoming root first. One way is to use sudo:
sudo bash script.sh
And again, make sure your script is in UNIX format. Certainly you can't change to /root/\r.
sed -i 's|\r||' script.sh
dos2unix script.sh
This will never work The script you're running is a separate process, when it finishes you get back to the original environment (cwd, enviroment variables, etc...).
Create an alias:
alias r="cd /root"
or execute the script within your shell:
. myscript
Note: . is a synonym for source.