Re: [lug-nuts] running a script as another user

From: Mike Simons (msimons@fsimons01.erols.com)
Date: Mon Jan 17 2000 - 12:05:03 PST

On Mon, Jan 17, 2000 at 11:31:16AM -0800, Brian Lavender wrote:
  chown USER ./scriptname
> chmod u+s ./scriptname
>
> Anyone corrections to this?

  This _does_ _not_ _work_ ... setuid and setgid scripts have not worked
in Linux for many years. They are a security hole. If the file being
executed is a script (#! /foo/bar) all setuid/gid bits are ignored.

  Some systems install a "sperl" binary which is a setuid root perl _binary_.
Since sperl is a binary and not a script the setuid bit is applied so
it can be used to run setuid perl scripts but running scripts this way
is as much a a security hole as before.

> On Mon, Jan 17, 2000 at 11:22:17AM -0800, Scott Tyson wrote:
>> I would like to put some scripts in my rc.local file but I do not want
>> them to execute as root. Is there a way to specify what user the script
>> executes as? The scripts are shell/perl.

  You need to use "su" ... something like: su -c "/path/bleh/foo.sh" USER

    TTFN,
      Mike Simons

  If you are on a debian system then putting a copy of the file below
in /etc/rc.boot should do what you want. I've been meaning to test
something this ... but I don't reboot often enough to have bothered yet.

  This is one of a few scripts I have my dialup machine run any time the
connection comes up. It takes a list of "USER:/DIR" pairs... and runs all
executable files in /DIR as USER. Uncomment the echo's if you'd like to
experiment. By changing the list="" line to you would able to get stuff
run as any user.
  There is an issue: does system has "run-parts" or not...

/etc/ppp/ip-up.d/users
===================
#! /bin/bash

list="msimons:/home/msimons/.ip-up.d bob:/usr/local/bob_site/.update/scripts"

for l in $list; do
  user=`echo $list | /bin/sed 's/:.*//'`
  dir=`echo $list | /bin/sed 's/.*://'`
  # echo "$user ... $dir";

  if [ -d "$dir" ]; then
    # echo "running commands for $user in $dir"
    cd $dir
    /bin/su -c "/bin/run-parts $dir" $user
  fi
done
===================

  If your system doesn't have "run-parts" replace the line
    /bin/su -c "/bin/run-parts $dir" $user
with the stuff below:

...untested modification...
===================
    for m in $dir/*; do
      if [ -x $m ]; then
        /bin/su -c "$m" $user
      fi
    done
===================

****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.

This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:10 PST