stackoom
  简体   繁体   中英

How can I let users run a script with root permissions?

 原文  2008-12-29 12:09:28       linux/ security/ scripting/ ubuntu/ passwords

Question

Given the dangers of SUID shell scripts , is there a more secure way of giving passwordless access to scripts (bash, PHP) with root permissions in Linux?

(Ubuntu 8.10)

9 answers

solution1
 15  2008-12-29 12:33:56

替代文字

solution2
 13 ACCPTED  2008-12-29 12:10:50

You could consider sudo .

Although not 'passwordless', it doesn't require the user to be given the root password. It can also provide an audit trail of use of the script.

edit: as per comment from Chris, there is an option not to require a password at all for certain commands, see here for details. It can also be set up not to prompt excessively for the password, ie one entry of the password can be good for multiple commands over a period of use.

By the way, sudo is built in to Ubuntu and nicely integrated with Gnome. When ubuntu prompts you for your password to do privileged operations, that's sudo under the hood.

solution3
 6  2008-12-30 02:49:21

如果您使用sudo路线,请确保查看sudoers手册页的“ 防止外壳泄漏 ”部分。

solution4
 5  2008-12-29 12:11:20

I would recommend sudo . Be sure to tighten your sudoers file appropriately; and yes, you can allow some commands to be executed with no password being requested.

solution5
 4  2008-12-29 12:32:05

Configuring sudo to let normal users run shell scripts with elevated privileges isn't any better from a security standpoint than making the script suid root. All the pitfalls still exist. Instead you should write a proper program that does extensive security checks. Some points to consider:

  • Don't write it in C, you'll shoot yourself in both feet.
  • Check all inputs.
  • Drop privileges as soon as possible.
  • Keep it short.

    • solution6
     2  2008-12-29 12:23:45

    由于已经提到了sudo ,因此您可能需要根据自己的需要考虑各种沙盒环境,例如监狱或类似环境。

    solution7
     1  2008-12-30 09:10:21

    To improve security consider whether it is possible to do the operation as a special user or group, which has exactly the access rights needed for it. Then you can make the script setuid/setgid for that user or group.

    solution8
     1  2008-12-30 14:59:02

    对于真正重量级的解决方案,请考虑使用MAC(强制性访问控制)系统,例如SELinux,AppArmor,TrustedBSD等。

    solution9
     0  2013-10-23 11:21:10

    If the use case is a machine running under VirtualBox and security isn't really an issue, you just want a light barrier to prevent yourself shooting yourself in the foot, what then? (Then the security arguments don't really make sense, since it doesn't matter if the machine gets compromised by an outsider who can't see it anyway due to the way VirtualBox insulates it via NAT.)

    暂无
    暂无

    The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

    Related Question How can I run a python script run via root as a different user (local user) then back to root How can i let the BASH script run as process? So that even the Python script is killed the BASH script runs forever? How can I set up a user's permissions so it can execute a bash script to read other users' files? How can I run a jupyterlab notebook as root? How can I set file permissions for all users from Haskell Why can't I run my shell script to list users? How do I control what parts of a python script run as root Write a linux script that can be run as root/sudo How to let users run arbitrary source code on my server How can I give my system application root permissions to bind privileged ports?
    Related Tags
     
    粤ICP备18138465号  © 2020-2024 STACKOOM.COM