-----------------------------
OK, figured it out. I cannot call the script directly to execute its sudo command as noted above. Here's how it works for me:
Create a script containing a sudo command
foo1.sh
sudo bar
Add a file to sudoers.d with permissions and path to foo1.sh
fooing
user_name ALL=(ALL) NOPASSWD:/path/to/foo1.sh
Create a "calling" script to have sudo execute foo1.sh
foo2.sh
sudo ./path/to/foo1.sh
foo1 executes "bar" without requesting user_name's sudo password
I assume it works this way for security reasons. So, place foo1.sh in a location owned and viewable only by root. That way, no one other than root can see what the script does, or modify it to do anything other than "bar".
]]>$ /home/gotit/Scripts/mount_network_drive.sh
[sudo] password for gotit:
cannot be caused by the script in post #7
According to post #8, something seems to change forth and back w/ that script and we don't know the actual parameters to the sudo call asking for the password.
Please post /home/gotit/Scripts/mount_network_drive.sh as is, resp. was at the time this happened.
Anyway here's sudo
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
##
## User alias specification
##
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
##
## Cmnd alias specification
##
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file. Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods. Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
##
## Runas alias specification
##
##
## User privilege specification
##
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
And the outcome of these 3 commands
$ sudo -l
User gotit may run the following commands:
(ALL) NOPASSWD: /home/gotit/Scripts/mount_network_drive.sh
(ALL) ALL
$ /home/gotit/Scripts/mount_network_drive.sh
[sudo] password for gotit:
$ sudo /home/gotit/Scripts/mount_network_drive.sh
[sudo] password for gotit:
Perhaps your recommendation of placing it in fstab is better. I have it in fstab working, commented out, but thought it "better" to check at log-on, and if in my home network, then mount the folders.
sudoers.d is supposed to make life easier and less error prone than editing sudoers directly. So I'm following the "easy path".
I thought I just needed to drop a file in sudoer.d with the "gotit ALL ALL" settings and path and when called by my user (gotit), it should execute without asking for a password. I certainly lost the recipe somewhere...
]]>Please post your entire sudoers (some of eschwartz's assertions are not necessarily correct, but otoh, you can also configure sudo *much* stricter), "stat /home/gotit/Scripts/mount_script.sh" and the behavior for "sudo /home/gotit/Scripts/mount_script.sh".
]]>I understand your concern. Last time I did this (3+yrs ago) I created a directory inside my Scripts directory and that was owned by root and could only be viewed by root. I'm trying to get this script working before locking it down. I like to keep it in my home directory so I don't lose it if I need to re-install.
Since my ultimate goal is to call the script via "startup programs" at log-in and auto-mount some network directories, perhaps I should test it by logging out/in so the actual path is followed as you noted below.
I'll update on how it goes.
Well I still can't get the directories to auto-mount
]]>#!/bin/bash
if (( EUID != 0 )); then
exec sudo -- "${BASH_SOURCE[0]}" "$@"
fi
If the script is run without root privileges, it will re-execute itself using sudo.
I tried adding sudo in front of the mount commands and
./mount_script.sh
and
sudo ./mount_script.sh
but neither work. Both commands asked me for the sudo password.
Seems like sudoers is reading souders.d just fine, so I should have permissions
$ sudo -l User gotit may run the following commands: (ALL) NOPASSWD: /home/gotit/Scripts/mount_script.sh (ALL) ALL
You're trying to run "./mount_script.sh" but sudo does not allow you to run scripts in the $PWD using relative paths without a password, it only allows you to execute it specifically using the path /home/gotit/Scripts/mount_script.sh Apparently not, unless you use fast_glob.
Regardless, this sudo rule means anyone who has write permissions for the script can edit it, run it as root, and do whatever they want. So it is effectively the same as just allowing all programs to run with NOPASSWD.
If you want to use NOPASSWD scripts, please only do it for scripts which are stored in /usr/local/bin, owned by root.
]]>Here's the script:
#!/bin/sh
# Check to ensure connected to the home network and if so,
# then mount the network drives
SSID=$(iwgetid -r)
if [[ $SSID = My_Network ]]
then
mount -t cifs -o guest,vers=1.0,iocharset=utf8,sec=ntlm //192.168.1.1/netdrive/Media /mnt/Netdrive-Media
mount -t cifs -o guest,vers=1.0,iocharset=utf8,sec=ntlm //192.168.1.1/netdrive/Files /mnt/Netdrive-Files
fi
I tried adding sudo in front of the mount commands and
./mount_script.sh
and
sudo ./mount_script.sh
but neither work. Both commands asked me for the sudo password.
Seems like sudoers is reading souders.d just fine, so I should have permissions
$ sudo -l
User gotit may run the following commands:
(ALL) NOPASSWD: /home/gotit/Scripts/mount_script.sh
(ALL) ALL
Figured it out... had to
chown root:root mount_script.sh
now if I execute it as my_user with
./mount_script.sh
it works.
Thanks for the assist!
foo.sh
foo must be run as root
w/o sudoers
sudo foo.sh
[sudo] password for user: ***********
foo is bar. bar is foo. fubar.
w/ sudoers
sudo foo.sh
foo is bar. bar is foo. fubar.
Edit: you do not need sudo in the script, but you have to sudo the script.
PPS: also post the script, it's possible that it drops privs before calling mount
Or, do I still need to add sudo within the script?
]]>When I execute the script via terminal as my user I get
mount: only root can use "--options" option
If I execute the script via terminal with sudo the drive mounts as expected
Yeah, because that's how sudo works.
You can use the sudoers to spare the authentication (password) but you still will have to "sudo /path/to/script/script_name.sh", "/path/to/script/script_name.sh" will still run the script as your UID, no matter what you add to the sudoers.
01-network_drive
that contains
myusername ALL=(ALL) NOPASSWD: /path/to/script/mount_script.sh
I've chowned it to root:root
I've chmod to 0440
But it won't execute the script to mount a network drive.
When I execute the script via terminal as my user I get
mount: only root can use "--options" option
If I execute the script via terminal with sudo the drive mounts as expected. So, I know the script is good.
What am I missing??
]]>