How to allow non sudoers users to run a script that does root operations

Question

Supouse I have a directory /opt/expe and I want any user to create .txt files on it. I want any user to type something like this:

$ whoami
user1
$ export $file_name=my_txt_file
$ /opt/expe/create_file.sh
$ ls -cal /opt/expe
total 12
drwxr-xr-x 2 root  root 4096 Jul 29 19:27 .
drwxr-xr-x 6 root  root 4096 Jul 29 19:14 ..
-rwsr-sr-t 1 root  root   65 Jul 29 19:29 create_file.sh
-rw-r--r-- 1 user1 root    0 Jul 29 19:27 my_txt_file.txt

I try this with a sudoer

$ whoami
user_sudoer
$ cat /opt/expe/create_file.sh
touch /opt/expe/$file_name.txt
chown $USER /opt/expe/$file_name.txt
$ chmod a+x /opt/expe/create_file.sh
$ chmod a+t /opt/expe/create_file.sh
$ chmod a+s /opt/expe/create_file.sh
$ chmod a+X /opt/expe/create_file.sh

Then with non-root user I obtained:

$ whoami
user1
$ export $file_name=my_txt_file
$ /opt/expe/create_file.sh
touch: cannot touch '/opt/expe/prueba_txt.txt': Permission denied

Can I do something like this. I want something like postgres SECURITY DEFINER concept.

Answer 1

I am not familiar with Postgres enough, but I see at least 4 options:

1. Change permissions of /opt/expe with chmod to allow all users create files within this directory.

2. Create a separate group for the users which need to write there and change /opt/expe group permission with chmod to allow this group write there.

3. Create a separate group and add sudoers rule to let them execute this script as described for example here: How can user mount an encrypted file container in VeraCrypt?

4. Use label security for fine-grained access control. Here is brief description of security labels and some further links: https://unix.stackexchange.com/questions/53028/what-are-ext4-security-labels

Please bear in mind that the permission to create/remove files is a property of the directory and not the file itself.