0

there's a script that I have and it needs to be run by root user. I just wanted to know how to run that script using su in the script. - I'm running CentOS7.

The command I attempted (below) failed:

su root credentials=/home/root/root.cred

and then continue with the rest of the script - sadly it didn't work. I included the .cred file because root asks for the root password when changing to root. Is there a way to run su root and change to root in a script.

Any ideas?

I may be getting confused but I just want to explain further:

I have a script that I want to be able to run from a regular (non sudoer) user, but this command is a sudo command - therefore only executable by a sudoer. Root is a sudoer, so when the script is run by the regular user - it will run as root in the script. If I begin the script with su root it can't get past that because it requires a password. Is there a way to enter the root password to get past the su command and into running the rest of the script using the script itself. Maybe echo or something? - I have no idea, this is why I am making this question.

Any futher questions, just ask me below :)

AdminBee
  • 21,637
  • 21
  • 47
  • 71
ekv_56
  • 57
  • 1
  • 12
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/108981/discussion-on-question-by-o-ricketts-how-can-i-run-su-root-and-enter-credentials). – terdon Jun 06 '20 at 13:54

2 Answers2

2

You have to add an entry in the /etc/sudoers file to be able to run just your script as root without using any password:

username ALL = (root) NOPASSWD: /your/script's/absolute/address

You have to replace the username with your own user name.

But it's dangerous in the sense that if a non-privileged (i.e non-sudoer) user tampers your script, then he/she can run whatever program he/she wants with the root permissions without any password, so a security measure is to make that file read-only for non-root users:

sudo chmod 755 your_script

By doing this you're giving the permission of reading and executing (but not writing) the script to non-sudoer users.

And also to prevent any future reversion:

sudo chown root your_script

By doing this, you're granting the ownership of the file only to root.

Fjor
  • 177
  • 4
Parsa Mousavi
  • 1,020
  • 2
  • 14
  • 27
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/108982/discussion-on-answer-by-parsa-mousavi-how-can-i-run-su-root-and-enter-credential). – terdon Jun 06 '20 at 13:55
  • @terdon Number one - where's that, number two - comments can be for discussion, they just aren't preferred to be for extended discussion. I belive that discussion would be helpful to others reading the post. – ekv_56 Jun 06 '20 at 14:16
  • @ORICKETTS it's right there, click on "moved to chat" in the automatic comment above. And no, comments are never for discussion, please read [the help page about commenting](https://unix.stackexchange.com/help/privileges/comment), especially the "When _shouldn't_ I comment?" section. – terdon Jun 06 '20 at 14:43
  • @terdon That particular discussion would be helpful to others with the same problem who are researching the site. – ekv_56 Jun 06 '20 at 14:45
  • @ParsaMousavi Help! It hasn't worked! If I press on the script and do run in terminal, it doesn't work and says 'sudo password for username:' it seems to still be running as the user and expecting a sudo password. – ekv_56 Jun 08 '20 at 07:22
  • @ParsaMousavi should it have sudo at the start still – ekv_56 Jun 08 '20 at 07:22
  • @ParsaMousavi I'm trying to do an fstab mount which isn't working [LINK](https://unix.stackexchange.com/questions/591547/permanent-network-drive-mount-in-fstab-not-working) – ekv_56 Jun 08 '20 at 07:38
  • @ORICKETTS If you type the command without sudo then yes , it will prompt you for password. The point of the sudoers file is that it bypasses the password prompt only when you try running it with sudo . You have to add "sudo" before running the commands you've registered in the sudoers file. – Parsa Mousavi Jun 08 '20 at 08:05
  • @ParsaMousavi No I used `sudo` – ekv_56 Jun 08 '20 at 11:20
  • @ORICKETTS So check the sudoers file for syntactical errors. – Parsa Mousavi Jun 08 '20 at 11:21
  • @ParsaMousavi I set it out like below: `##Allows username to execute the script name script without root password # %username ALL = (root) NOPASSWD: /your/script's/absolute/address` – ekv_56 Jun 08 '20 at 11:57
  • @ParsaMousavi Do you know anything about this? - [INTERNAL LINK: unix.stackexchange.com](https://unix.stackexchange.com/questions/592705/how-to-change-permissions-and-access-on-a-samba-network-share-hosted-on-centos7) – ekv_56 Jun 13 '20 at 14:18
  • @ParsaMousavi Thanks for your help – ekv_56 Nov 10 '20 at 17:20
0

There is not a mechanism to "convert user to root for the rest of this script" safely. All means of obtaining root permissions from an user level have to start a separate instance of the shell or program with the new credentials to rise the program's rights. To solve this for user typing commands in the shell we should use the sudo system.

For your problem, the solution is to separate the script section you want elevated into another script and launch it with sudo at the end of the first 'normal user' part. As shown in the Parsa Mousavi's answer, you will use visudo to edit the sudoers file and configure this, and could give rights to the normal user to execute the root script without entering a password, if you like.

IMPORTANT: You must indicate the full path of the script and arguments (if any) in the sudoers definition, and also write exactly the same path and arguments in the calling script. Say, if you authorize /bin/mount /cdrom in the sudoers file, in the calling script must say sudo /bin/mount /cdrom for this to work. If your script does not have any arguments in the sudoers file, like /root/my_script.sh, then you'll call it with sudo /root/my_script.sh without arguments. Also, you have to make the script owned by root (and apply chmod go-w to it), so none can modify it and improperly execute unauthorized commands.

Fjor
  • 177
  • 4