Set up a linux script to run with the permissions of another user


My specific need is the following:

A script of usuario1 has to be able to be executed by any user of group1 (that I know how to do), but when it is executed it has to have the permissions of user1.

It would be something equivalent to the concept of postgres to create a function with security definer .

It may be necessary the intervention of a sudoer for that configuration, that seems reasonable to me. (I know there may be some error in the commands, that I fix later, the question is only about delegating permissions)

Possible use cases:

1) controlled access to resources:

echo "$DATE - $1" >> /home/usuario1/mensajes-recibidos.log

Thus, the usuario1 could allow to add messages in the file mensajes-recibidos.log in a controlled manner without the need to allow the writing in the file if the script recibir_mensaje could be run with permissions of usuario1 execute it usuario2

2) controlled delegation of administrative tasks:

Imagine the user subadmin2 to which we want to allow you to create users that belong to group gr_comun . Nothing more than that. We could have a script:

adduser $1
adduser $1 gr_comun

that this script runs with root permissions but does not give subadmin sudo permission but only permission to execute

asked by Emilio Platzer 04.08.2017 в 14:05

2 answers


Finally I found a way to allow a user who is not root (neither in the admin groups) to execute a script that runs as root to do certain administrative tasks delegated (like those in the example of the question)

the solution


Give limited permissions through / etc / sudoers to execute only that script as root

the example

Imagine the user subadmin that we want to have permission to execute /opt/

With an administrator user we configure the script to have:

sudo cat /opt/
adduser $1
adduser $1 gr_comun

And we add a line in /etc/sudoers using the command visudo

sudo visudo

add to the end of the file ...

# This file MUST be edited with the 'visudo' command as root.
root    ALL=(ALL:ALL) ALL
subadmin ALL=(root) NOPASSWD: /opt/

then the user subadmin can already perform its delegated task to create the common user (that is, within the common group):

sudo /opt/ usuario1
answered by 12.05.2018 / 03:02

The most reasonable option is to properly set sudo .

You want to know if it is possible to execute a script with the bit suid activated ...

Short answer,

No, the security policy of kernel causes that the scripts can not be executed with the bit suid activated.

Long answer,

Yes, this same policy allows an executable binary file with bit suid activated, execute a script arbitrary. If you create a program with the necessary rights and this program executes your script , the latter will do it under the rights of the executable.

Anyway; the most advisable thing, from the point of view of security, is to configure sudo so that users can execute script .

answered by 04.08.2017 в 16:16