Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Shell script help: change to root mid script

  1. #1
    Join Date
    Jun 2007
    Location
    Burlington, Ontario, CA
    Beans
    310
    Distro
    Kubuntu 11.10 Oneiric Ocelot

    Shell script help: change to root mid script

    Hello. I'm having a bit of an issue getting this working.

    I want a script that basically replaces sudo, asking for a bit of information and writing it to a log file, then executing the command. I've got the first part (collecting the data) down, but I'm having problems with the second part.

    What I need to happen is the user enters the sudo password (every time the command is run), then it executs a bunch of commands as root (i.e. writing to the log file), then finally executes all the commands that were passed to it.

    I tried just adding "sudo" to every command but it ran into problems when it goes to execute the commands. I was trying to use 'sudo `$*`' but that doesn't work. It needs to run any possible command sent to it, with a diffeing number of args each time (i.e. for running complex commands, like 'shellscript1 apt-get install pidgin'). Also, the problem of sudo staying authorized for a set time (versus asking each time this is run) is a problem.

    So, I propose, how would you script this?

    Code:
    PSEUDOCODE:
    
    <do stuff that I already have worked out>
    
    Ask for root password, every time (not like sudo where once lasts 10 minues)
    
    Write to log file using root password authentication
    
    Execute the entire list of commands passed to this script using root password authentication
    
    Exit
    Rig: Intel Core i5 2500K [4.7GHz]; ASUS Maximus IV Gene-Z; AMD Radeon HD 6870; 16GB Geil DDR3-1600; OCz Vertex 2 128GB SSD; Lian Li PC-V351B; Corsair H100 cooler; Corsair TX650W; 3x BenQ G2222HDL + 1x Acer x93w; Ubuntu 11.10 64-bit

  2. #2
    Join Date
    Nov 2007
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Shell script help: change to root mid script

    Maybe this helps?

    Code:
    <do stuff that you already have worked out>
    
    #sudo -k will make it ask for the password on the next command
    sudo command1 && sudo -k
    sudo command2 && sudo -k
    
    sudo echo $DATE $LOG_INFO >> myfile.log && sudo -k
    
    #will ask password once for every argument
    for foo in $@; do sudo $foo && sudo -k; done
    If you want it to skip asking the password for a command, just remove the '&& sudo -k' from the command before. Bear in mind though that if the execution of the command surpasses 10 minutes it may ask the password again.
    Last edited by amingv; October 14th, 2009 at 05:25 AM.
    Wish I could prove I love you, but does that mean I have to walk on water?
    When we are older you'll understand it's enough when I say so, and maybe some things are that simple.

  3. #3
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,541
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Shell script help: change to root mid script

    Quote Originally Posted by djbon2112 View Post
    I want a script that basically replaces sudo
    Isn't that a bit like reinventing the wheel and the fire?

    And if you have to use "sudo" inside your script to make things work, then your script can't really be a "replacement".

    As for your troubles .... Why not add the few commands you need to execute into /etc/sudoers? Beware: You have to use the "visudo" command to edit that one. Trying to edit the file with anything else without applying the proper steps may cause strange side effects.

    visudo tutorial:
    http://ubuntu-tutorials.com/2007/03/...s-with-visudo/

    sudoers tutorial:
    https://help.ubuntu.com/community/Sudoers

    So the goal here would be that you add a few commands to /etc/sudoers so you don't need to enter the password every time ... and thus your script wouldn't stop in the middle, it would run through.

    And yes, in theory you could edit /etc/sudoers in such a way and disable passwords completely ... I strongly advise against that because it's a really great way of hosing your system.

    So please: Only really add the "NOPASSWD" where it is really really needed.

  4. #4
    Join Date
    Jun 2007
    Location
    Burlington, Ontario, CA
    Beans
    310
    Distro
    Kubuntu 11.10 Oneiric Ocelot

    Re: Shell script help: change to root mid script

    Quote Originally Posted by scorp123 View Post
    Isn't that a bit like reinventing the wheel and the fire?

    And if you have to use "sudo" inside your script to make things work, then your script can't really be a "replacement".

    As for your troubles .... Why not add the few commands you need to execute into /etc/sudoers? Beware: You have to use the "visudo" command to edit that one. Trying to edit the file with anything else without applying the proper steps may cause strange side effects.

    visudo tutorial:
    http://ubuntu-tutorials.com/2007/03/...s-with-visudo/

    sudoers tutorial:
    https://help.ubuntu.com/community/Sudoers

    So the goal here would be that you add a few commands to /etc/sudoers so you don't need to enter the password every time ... and thus your script wouldn't stop in the middle, it would run through.

    And yes, in theory you could edit /etc/sudoers in such a way and disable passwords completely ... I strongly advise against that because it's a really great way of hosing your system.

    So please: Only really add the "NOPASSWD" where it is really really needed.
    It's not to reinvent the wheel, it's basically so I can give my game server admins the password to an account with sudo priviledges, but at least have some way to track if they do things to the system at large.

    It would "replace" sudo in the user's shell using an alias, but that's one of the reasons I didn't want to use "sudo" within the command itself. However, I was also thinking I could eliminate the alias at the start of the script and replace it at the end, however I don't know if I need to do that.

    Also, writing to the files is about 5 lines, and the file they're writing to is owned by root and has 700 permissions.

    I'm going to give some of amingv's tips a shot, and see how it goes.

    EDIT: I also forgot to mention, that I don't want to just add the commands to sudoers because I need this to be very portable and deployable at a moment's notice with many different possible situations. Always adding the dozens of commands I may need will take forever.

    EDIT 2: I've got the script working perfectly, except for what I ask in the next post! Here it is, if anyone is curious. I have the file as /sbin/sudoauth.sh and the user in question has an alias for sudo='/sbin/sudoauth.sh'.

    Code:
    #!/bin/bash
    
    #
    # This script replaces the standard "sudo" command on the public LanNET servers.
    # It requests the full name of the user requesting the authorization, as well
    # as who gave them permission to make this modification. The entered data,
    # along with a record of who is logged in at the time and from where, is
    # stored in a root-viewable text file at /var/lannet/sudoauth.log
    #
    # This script is hereby released under the GNU GPL v3. For details of the license,
    # please see http://www.gnu.org/licenses/gpl
    #
    
    #
    # FUNCTIONS
    #
    
    # Exits the script when the Ctrl+C interrupt is called
    exit_script()
    {
       clear
       exit 1
    }
    
    #
    # MAIN SCRIPT
    #
    
    # Start: Trap Ctrl+C and display the warning message
    trap exit_script 2
    dialog --title "NOTICE! PLEASE READ BEFORE CONTINUING" --backtitle "LanNET 'sudo' Policy" --msgbox "Modification of this server requires express permission from a LanNET administrator. FAILURE TO OBTAIN THIS PERMISSION BEFORE MAKING ANY CHANGES TO THIS MACHINE, OR MAKING ANY MALICIOUS CHANGES TO THIS MACHINE, WILL BE PUNISHABLE BY EXPULSION FROM THE EVENT WITHOUT REFUND. ALL LOGIN AND SUDO ATTEMPS TO THIS MACHINE ARE LOGGED. If you wish to continue, press \"OK\"." 13 50
    
    # Clear the screen and ask for the username
    clear
    echo "Please enter your full name as shown on your ID:"
    
    # Get the first input, which is the name of the person making the change
    read AUTHUSER
    
    # Clear the screen again and ask for the administrator
    echo ""
    echo "Please enter the name of the authorizing administrator:"
    
    # Get the second input, which is the name of the authorizing administrator
    read AUTHADMIN
    
    # Temporarially get rid of the 'sudo' alias to this script so it won't call itself
    unalias sudo
    
    echo ""
    
    # Ask for the sudo password and clear the screen
    sudo -k
    sudo false # This command does absolutely nothing except ask for the sudo password here, instead of later
    clear
    
    # Log the information to /var/lannet/sudoauth.log, root viewable only
    echo '------------------------' | sudo tee -a /var/lannet/sudoauth.log
    echo 'LOGGED ATTEMPT AT SUDO' | sudo tee -a /var/lannet/sudoauth.log
    echo 'User: ' `whoami` | sudo tee -a /var/lannet/sudoauth.log
    echo 'Participant: ' $AUTHUSER | sudo tee -a /var/lannet/sudoauth.log
    echo 'Authorization: ' $AUTHADMIN | sudo tee -a /var/lannet/sudoauth.log
    echo '"who" data: ' `who --ips` | sudo tee -a /var/lannet/sudoauth.log
    echo "" | sudo tee -a /var/lannet/sudoauth.log
    
    echo "Authorization successful. Command executing."
    echo ""
    
    # Double-check/reset permissions of that log file, so that only root can see it
    sudo chown root:root /var/lannet/sudoauth.log
    sudo chmod 700 /var/lannet/sudoauth.log
    
    # Execute the command
    sudo $@
    
    # Reenable the 'sudo' alias and exit
    alias sudo='/sbin/sudoauth.sh'
    exit 0
    Last edited by djbon2112; October 15th, 2009 at 07:37 PM. Reason: Updated the script
    Rig: Intel Core i5 2500K [4.7GHz]; ASUS Maximus IV Gene-Z; AMD Radeon HD 6870; 16GB Geil DDR3-1600; OCz Vertex 2 128GB SSD; Lian Li PC-V351B; Corsair H100 cooler; Corsair TX650W; 3x BenQ G2222HDL + 1x Acer x93w; Ubuntu 11.10 64-bit

  5. #5
    Join Date
    Jun 2007
    Location
    Burlington, Ontario, CA
    Beans
    310
    Distro
    Kubuntu 11.10 Oneiric Ocelot

    Re: Shell script help: change to root mid script

    Also, something else I wanted to ask, also for the shell script.

    The premise will be this will be run by a user SSH'd into the server, logged in as the "gameadmin" account (or something) and needing to "sudo" something to make his game server(s) work. BUT, I also need to be able to record the IP he's logged in from. Is there a command to print that?
    Rig: Intel Core i5 2500K [4.7GHz]; ASUS Maximus IV Gene-Z; AMD Radeon HD 6870; 16GB Geil DDR3-1600; OCz Vertex 2 128GB SSD; Lian Li PC-V351B; Corsair H100 cooler; Corsair TX650W; 3x BenQ G2222HDL + 1x Acer x93w; Ubuntu 11.10 64-bit

  6. #6
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,541
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Shell script help: change to root mid script

    Quote Originally Posted by djbon2112 View Post
    It's not to reinvent the wheel, it's basically so I can give my game server admins the password to an account with sudo priviledges, but at least have some way to track if they do things to the system at large.
    OK, maybe I am not understanding this correctly. "sudo" does all that already. You can give someone a password to specific account, and thanks to "sudo" they can execute specific things that you define via "/etc/sudoers" ... So why the necessity for this script? You could write whatever commands needs to be executed straight into the script and then allow password-less execution of it via /etc/sudoers ... With this an admin wouldn't even need to know any password besides his own. And yet "sudo" would log each time it gets triggered by someone (you get an entry in the system log).

    So .... what am I missing? Why the need to "replace" sudo? (Sorry but I am really slloooooow tonight ...)

    Quote Originally Posted by djbon2112 View Post
    It would "replace" sudo in the user's shell using an alias
    Again ... why the need for this?

    Quote Originally Posted by djbon2112 View Post
    and the file they're writing to is owned by root and has 700 permissions.
    Yes, and that would make it a candidate for handling via "sudo", wouldn't it?

    Quote Originally Posted by djbon2112 View Post
    EDIT: I also forgot to mention, that I don't want to just add the commands to sudoers because I need this to be very portable and deployable at a moment's notice with many different possible situations. Always adding the dozens of commands I may need will take forever.
    Well, "sudo" certainly is "very portable and deployable" as it pretty much exists for every Linux, BSD and commercial Unix variant out there.

    Quote Originally Posted by djbon2112 View Post
    I have the file as /sbin/sudoauth.sh and the user in question has an alias for sudo='/sbin/sudoauth.sh'.
    I think I should go to bed. I am really not getting this e.g. why you need to do that instead of using "sudo" directly? Never mind. I am too sloow tonight it seems.

  7. #7
    Join Date
    Nov 2007
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Shell script help: change to root mid script

    Seeing the larger picture now, I must say I agree with scorp123.
    Giving root access to someone you don't entirely trust is a bad idea, logging script or not.
    Just give them access to the game server files: create a "gameadmin" group and give it permission to work with the game files only. Most other setups will compromise security.

    Even if you used an alias, it's pretty easy to use the command underneath:

    Code:
    /usr/bin/sudo <potentially_dangerous_command>
    Wish I could prove I love you, but does that mean I have to walk on water?
    When we are older you'll understand it's enough when I say so, and maybe some things are that simple.

  8. #8
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,541
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Shell script help: change to root mid script

    Quote Originally Posted by amingv View Post
    Giving root access to someone you don't entirely trust is a bad idea, logging script or not.
    Just give them access to the game server files: create a "gameadmin" group and give it permission to work with the game files only. Most other setups will compromise security.
    +1

    My thoughts exactly.

  9. #9
    Join Date
    Jun 2007
    Location
    Burlington, Ontario, CA
    Beans
    310
    Distro
    Kubuntu 11.10 Oneiric Ocelot

    Re: Shell script help: change to root mid script

    EDIT: Well, damn, being able to use /usr/bin/sudo directly kinda puts a damper on this. I did think of it before, which is why I wanted to use su, but that wasn't working. This is a pain in the ***...

    Quote Originally Posted by amingv View Post
    Just give them access to the game server files: create a "gameadmin" group and give it permission to work with the game files only. Most other setups will compromise security.
    Problem is, every game server is different, it uses different files in different places, some require root to start the service, etc., and I'm trying to do this precisely so I don't have to worry about setting this stuff up myself; I can just let another (somewhat-untrusted; I trust them with a log, but not without) user do it, and I can worry about more important stuff (like keeping my guests who DON'T want to play that game happy).

    Basically all I need to do is log to a custom place the IP of the user, who they're logged in as, and who gave them the authorization, every time a user tries to do something sudo, as well as display a prompt with my warning (easy enough by itself). If there's an easier way to do that, besides this script, please let me know!
    Last edited by djbon2112; October 15th, 2009 at 05:25 PM.
    Rig: Intel Core i5 2500K [4.7GHz]; ASUS Maximus IV Gene-Z; AMD Radeon HD 6870; 16GB Geil DDR3-1600; OCz Vertex 2 128GB SSD; Lian Li PC-V351B; Corsair H100 cooler; Corsair TX650W; 3x BenQ G2222HDL + 1x Acer x93w; Ubuntu 11.10 64-bit

  10. #10
    Join Date
    Nov 2007
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Shell script help: change to root mid script

    Quote Originally Posted by djbon2112 View Post
    Problem is, every game server is different, it uses different files in different places, some require root to start the service, etc., and I'm trying to do this precisely so I don't have to worry about setting this stuff up myself; I can just let another (somewhat-untrusted; I trust them with a log, but not without) user do it, and I can worry about more important stuff (like keeping my guests who DON'T want to play that game happy).

    Basically all I need to do is log to a custom place the IP of the user, who they're logged in as, and who gave them the authorization, every time a user tries to do something sudo, as well as display a prompt with my warning (easy enough by itself). If there's an easier way to do that, besides this script, please let me know!
    Even in this scenario, creating a group would work. All server files (regardless of where they are or what server they belng to) would be owned by root and the "gameadmin" group. I know setting this sounds tedious, but believe me when I tell you it takes less than five minutes with a small recursive command.
    Every one of this files would have the read/write/execute bit enabled for their group members.

    In case I'm misunderstanding you and you really can't do it that way, there is yet another option you have:
    Create a program to control any possible routine your helpers would have to perform (python/perl/bash may be good languages for this), it doesn't have to be very complicated, in fact since it will be used through SSH it can be a very simple console program. Then give your helpers the ability tu run only THAT program with root capabilities by using visudo.

    The downside, of course, is that you'd have to know at least some very basic programming (or know someone who does), but your helpers would be limited to the tasks the program offers, thus achieving a relatively decent setup security-wise...

    If you give some examples of some of the things they would be doing on the server (edit config files, restart the connections, IP-banning players?), maybe we can come up with something more concrete.
    Wish I could prove I love you, but does that mean I have to walk on water?
    When we are older you'll understand it's enough when I say so, and maybe some things are that simple.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •