I need to execute a command which is needed to run as root.
I read some post about using hard-coded passwords in scripts could be insecure, but actually I don't care because I'm providing root password to users anyway. It's an stripped system and there's only 2 users: client and root, so avoid warning me about security issues, Go ahead and give a quick and dirty solution.
For this bash script I need to
get as superuser using su,
then "my command",
and then logout.
I don't want the terminal prompt to type the password myself, instead read the password that I'm providing somewhere in script and run the command. It's a priority to not prompt any input by user.
Alternatively, maybe I could install sudo, but is there any chance to run a command without any prompt of password (editing sudoers or something)?
What about of using expect?
Update: I forgot to say that is also a portable SO, used for USB sticks (maybe later for CDLive too), as you know, in some distros of this kind is provided a root password if users needed. The command mentioned before is a package extensions for some application install, and only root have privilegies to execute such command (I have to say it's not a apt-get install or rpm command, so don't worry about this).
If you want a command to be runnable with no password, set that specific command as runnable with no password in your /etc/sudoers file (limiting the arguments to only the specific ones you wish to allow, if your use case allows that limitation).
This is as simple as setting the NOPASSWD: flag for the relevant sudoers entry.
If you really, really don't care about security, it could be as simple as this:
%admin ALL=(ALL) NOPASSWD: ALL
(after putting sudo-capable users in the admin UNIX group)
...or, if you did care, you could do something specific:
someuser ALL = NOPASSWD: /usr/local/sbin/my_admin_command
Note that if these commands will be run with no user present, they also may not have a TTY assigned; in such a case, you must be sure that your sudoers file doesn't contain the (oft-present-by-default) line:
Defaults requiretty
...or that the effect of this default is being specifically discarded by the line granting permissions.
Related
In Linux, need to write a shell script which can be ran as other users (via doas permissions for this one script), but I need to know in the script who ran it originally. How would I go about doing this?
From the man page
By default, a new environment is created. The variables HOME, LOGNAME, PATH, SHELL, and USER and the umask(2) are set to values appropriate for the target user. DOAS_USER is set to the name of the user executing doas.
So use $DOAS_USER to get the original username.
Original problem: on my MacBook Pro, the video camera keeps freezing. Found the solution is to type
sudo killall VDCAssistant
in a terminal, and provide my password (I have admin privileges).
Now I would like to make this a single command (that doesn't need a password). I found that it is possible to use visudo to edit a file that tells sudo what commands might be run without requiring a password. Obviously it would be too dangerous to make killall itself "password free", so I was hoping I could wrap the specific command inside another script; make that script "password free"; and get on with my life. So here is what I did:
Create a file called video, which contains
!#/bin/bash
sudo killall VDCAssistant
Put it in /usr/local/bin, give permissions chmod 700 video, and rehash. When I type video, I get prompted for my password. So far so good.
Next, I ran visudo and added the lines
User_Alias USERS = myusername
CMND_Alias CMDS = /usr/local/bin/video
USERS ALL = (ALL) NOPASSWD: CMDS
But that doesn't have the desired effect. I am still prompted for the password. If I make root the owner of the script, it doesn't change things. If I leave out the sudo part of the command, it tells me "No matching processes belonging to you were found".
Does anyone have a trick that I missed - how do I achieve my goal (using a single-word command to perform the killall for a process I do not own, without having to type my password)?
I have read the answers to how to run script as another user without password but could not find anything that applied here; I also read the answers to sudo with password in one command line - that is where the inspiration to use visudo came from - but again it didn't give me the answer I was looking for. Obviously I can't save my password in plain text, and I don't want to remove the "normal" protections from killall.
Is there a way to do this?
If you have an actual binary executable, you can set the setuid bit on it using chmod 4755, and then the binary will always execute as whichever user owns it (most useful if it is root, obviously). However, this doesn't work on shell scripts, for security reasons. I'm not 100% sure that this is the case, but it is possible that visudo may also be ignoring shell scripts for the same reasons.
If you've got Xcode installed, though, you can build an actual binary program to run the killall command, and then you can set the setuid bit on it. This Swift program should do the trick:
import Foundation
guard setuid(0) == 0 else {
print("Couldn't set UID 0: error \(errno)")
exit(-1)
}
let killall = Process()
killall.launchPath = "/usr/bin/killall"
killall.arguments = ["VDCAssistant"]
killall.launch()
killall.waitUntilExit()
Save the above in a text file called video.swift. Run the following command:
swiftc video.swift -framework Foundation
This will create a file called video in that directory. Move the file to /usr/local/bin, change the owner to root and setuid that sucker:
mv video /usr/local/bin
sudo chown root:wheel /usr/local/bin/video
sudo chmod 4755 /usr/local/bin/video
Now it should work.
If you want to get fancier, it would probably also be possible to rig up a plist in /Library/LaunchDaemons and get launchd to automatically kill the process every so often.
I'm a total bash noob but try checking this answer, the problem here might be with your sudoers file. I tried replicating your problem and encountered the same behaviour, with this answer I was able to make it work. I can't say anything about safety of this solution. To sum up:
I've created a file called video while logged in as root with following contents:
#!/bin/bash
sudo killall VDCAssistant
set it's permissions chmod 700 video and rehashed
using visudo I've added a following line mysuername ALL=NOPASSWD:ALL below the line %sudo ALL=(ALL:ALL) ALL since myusername is a member of group sudo
sudo video runs the script and kills the process
by adding alias VIDEO 'sudo video' to your .cshrc file, you can make this a true "one word command"
The answer by Charles Srstka solved my immediate problem; subsequent clarifications by #mspaint showed that the script-based answer could in fact also be made to work. I then discovered a nice additional touch that I wanted to share for anyone that runs into this problem. This is "how do you make the whole process seamless".
1) "Hide" the killall command in a script:
Create a text file with the following lines:
#!/bin/bash
sudo killall VDCAssistant
and save it to /usr/local/bin/restartVideo.sh
Change the permissions: chmod 700 restartVideo.sh so only you can run it.
2) make the restartVideo.sh script password-free for use with sudo
Next we need to edit the sudoers file so there is no need to prompt for the password when running the above script. The editing is done by sudo visudo - this edits a copy of the file in vim, and checks it for errors before overwriting the original. Add the following lines to the file:
# my user can run the restartVideo.sh command with sudo without password:
User_Alias ME = myUserName
Cmnd_Alias VIDEO = /usr/local/bin/restartVideo.sh
ME ALL = (ALL) NOPASSWD: VIDEO
This last line actually means "user 'ME' (defined with the User_Alias command), from 'ALL' terminals, and executing as any member of '(ALL)', can without password (NOPASSWD:) execute all commands defined by VIDEO. Save the file - make sure there are no errors / warnings! N.B.: in my original question it appears I had used CMND_Alias instead of Cmnd_Alias; that must have generated a warning that I overlooked ... and it may be the reason my original approach wasn't working (???).
3) Create a Service to invoke the script
For this I turned to the Mac Automator application - in particular, I created a new Service.
Search for the actions that have "run" in their title, and pick "Run shell script":
Using the default shell, run the command sudo /usr/local/bin/restartVideo.sh, taking no inputs. Make the command available to any application.
Finally - save the script as "Restart video".
And by miracle, you get the following menu item (showing it here for Skype):
Now you can just select that menu item, and your camera comes back to life.
Cannot create a useful script for scheduling the macports update and upgrade weekly e.g..
I tried a tiny script here:
on run {input, parameters}
do shell script "sudo /opt/local/bin/port selfupdate && sudo /opt/local/bin/port upgrade outdated && sudo /opt/local/bin/port clean --all installed" user name "<username>" password "<password>" with administrator privileges
return input
end run
And put this into Automator
Then as it running, the window will be frozen and if anything returns during the run, it shows as an exception message.
Can you write a useful script to get things done?
Thanks for help!
I think you are better off looking into the cron utility, that nowadays must be explicitly enabled. For all what I know, you can also get hold of a utility named Cronnix, to set it up. Your other alternative is to use Launchctl, here there is a friendly user interface named Lingon, that you can buy from the appstore.
There will always be an error log from updating MacPorts, that you should really read. The other thing is that when some packages gets deprecated, or some conflict occurs, then the update command really will require you to interact, by moving stuff aside, so the approach of using something to update Macports isn't as favourable as it may seem.
How about creating a recurring calendar event reminding you to do it? :)
If you are really tenacious about getting this to work, then you'll have to use the do shell script with administrator privileges, and if you don't like the dialog with password, and username, then you can hardcode those into your automator action. You'll then have to let go of sudo, since the ´with administrator privileges` does that for you.
do shell script "your shell script without sudo" user name "hardcodedusername" password "hardcodedpassword" with administrator privileges
I have crontab running a shell script periodically. I need the script to run in the same environment that I usually log in. Can I just simply add this line in 2nd line of the script (after shebang).
source /home/<my username>/.cshrc
Or what's the proper way to set the cron shell process to use my login environment?
PS: I am quite sure which exactly setting is needed by my script, so I can only source the whole .cshrc.
Try something like that:
sudo su - <user> -c <cmd>
Of course you have to alter the sudoers file first.
Take a look at the man page.
hth
I'm trying to help someone with their Debian server.
They have Plesk. I made myself an user with Plesk and enabled SSH access.
I can log on ... but only for one second. I see the MOTD, I see a Debian disclaimer, then I'm logged out again. "Connection closed".
The only thing I could think to try is to change the shell settings, Plesk has a dropdown list of bash, csh, tcsh and so on next to the "allow ssh using:" option. But none of them works.
Any ideas gratefully received.
The way I fixed this problem is, unfortunately, to manually change the last parameter in /etc/passwd for users I want to give shell access. It is /bin/bash instead of /bin/false.
Plesk can get a bit quirky sometimes...
That behavior is similar to the one you get when a user account has a 'nologin' shell selected on the Plesk config. I would do some things:
Connect using ssh with the verbose option activated (ssh -v user#host) so you can get more detail.
Check the /etc/passwd file, look for your user and check that, the final field on that line, is pointing to a valid shell (something like /bin/bash instead of /bin/nologin or /bin/false).
Check also in that line that the home directory for that user ( that's configured on the field before of the shell ), is valid, exists, and has proper permissions and owner
Finally, check your logs (in /var/log; I think I would check syslog, messages and user), so maybe you can get any meaningful message.
When a user logs on, the shell takes them to their user directory and possibly runs a "startup" script.
Is the user directory on the local machine? Does it have to be mounted from a fileshare (this has happened to me on more than one occasion)? If that fileshare is not mounted you will get disconnected.
Take a look at the startup scripts for those shells. Bash uses various startup scripts depending on the circumstance, these include /etc/profile and ~/.bashrc. These scripts sometimes do wacky things that may disconnect you for any number of reasons.