0

I want to execute a script that requires root privileges without entering a password. There are similar questions/answers but non seems to work for me.

I placed my script in /home/kf/bin (I added the bin dir myself) and included this directory in my path so I can run it from everywhere.

The script: trim.sh:

#! /bin/sh
sudo fstrim -v /

I changed the ownership of the script to root:

 sudo chown root:root /home/kf/bin/trim.sh

and made it executable

sudo chmod 700 /home/kf/bin/trim.sh

next I added a line to my sudoers file with visudo:

kf   ALL=(ALL) NOPASSWD: /home/kf/bin/trim.sh

When I login again and execute the script with trim I still need to enter my password. I know I can make a cron for this but I also want to be able to execute the script manually without entering my password. Any help appreciated.

edit:

My sudoers file looks like this:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin: /usr/bin:/sbin:/bin"

root    ALL=(ALL:ALL) ALL
kf   ALL=(ALL) NOPASSWD: /home/kf/bin/trim.sh

%admin ALL=(ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
chaos
  • 27,506
  • 12
  • 74
  • 77
kasper Taeymans
  • 143

2 Answers2

3

Change the line in the sudoers file to:

kf   ALL=(ALL) NOPASSWD: /sbin/fstrim

I don't recommend, adding the script in /etc/sudoers, because the script can be altered and every command (the whole script) would then be executed with root privileges.

chaos
  • 27,506
  • 12
  • 74
  • 77
  • well, that is not true because the file is owned by root so you can't edit it unless you know the password... that's why I changed the ownership to root. – kasper Taeymans Aug 25 '15 at 11:08
  • 2
    @kasperTaeymans That won't help. anyone can simply remove the script and replace with another one. – Jacob Vlijm Aug 25 '15 at 11:09
  • @kasperTaeymans True, didn't see that in the question. But, anyway: only use root privileges when they are needed. They are only needed for the fstrim command. – chaos Aug 25 '15 at 11:10
  • I quite agree with the fact that the script should be in a "save" location, but then the /etc/crontab is also ok. Edit: Ah, I see your point now :) – Jacob Vlijm Aug 25 '15 at 11:10
  • @kasperTaeymans What Jacob Vlijm said is extremely correct: every file (even if owned by root) can be removed from the owner of the folder which contains it. You should move your script elsewhere – kos Aug 25 '15 at 11:14
  • yes, it can be removed but it can't be edited or replaced with the same privileges so it's save right? the reason why I want the script in my home folder (=different HDD) is because I want to keep it when I need to reinstall my root partition (is on different SDD). – kasper Taeymans Aug 25 '15 at 11:27
  • please see the first answer of the following question: http://askubuntu.com/questions/155791/how-do-i-sudo-a-command-in-a-script-without-being-asked-for-a-password – kasper Taeymans Aug 25 '15 at 11:29
  • @kasperTaeymans I understand the discussion, but what is the problem when you are the owner of the script and you use the sudoers line as in my answer? You have no problems with permissions, separate patitions and changes in the script. – chaos Aug 25 '15 at 11:30
  • @kasperTaeymans of course it is up to you, but the permissions do not matter so much: if you run it with sudo, a replacement script from the user can still do anything. It is not safe. – Jacob Vlijm Aug 25 '15 at 11:33
  • Ok, I accepted the answer. This works for binaries in the root partition. So there is no save way to have binaries/scripts with root privileges which resides in /home? – kasper Taeymans Aug 25 '15 at 11:43
  • @kasperTaeymans I would say there isn't. – Jacob Vlijm Aug 25 '15 at 11:46
  • @kasperTaeymans Consider the following: You have an entry in the sudoers file pointing to a script/binary a home dir. The person who the home belongs to then could replace the script/binary with a shell (lets say a bash binary). According to the sudoers file he could then execute the bash binary with root privileges, and therefore can do everything on the system. Since the owner of the folder can change permissions on files inside that directory he can also replace that by a bash binary. – chaos Aug 25 '15 at 11:54
  • @chaos: yes I understand that. I was trying this because I want my custom scripts/binaries stored in my home folder (mounted from an other drive) in case I need to reinstall the root partition. This way I don't loose all my scripts when something goes wrong with root. I guess I better mount /usr/bin from a separate drive and store my scripts with root privileges there. – kasper Taeymans Aug 25 '15 at 12:05
0

What you're looking for is the setuid bit, it allows the users to exec a program with the permissions of its owner.

/!\ Be careful with it, it's often a bad solution, due to the security problems it exposes.

Julien CROUZET
  • 101