[SOLVED] how to run privilaged commands in scripts?

longshot · 2024-04-26 21:54:39

Intro: Using ABIs to control fan_speed, fn_lock, or conservation mode can be done with editing files in the (e.g.

/sys/bus/platform/.../

) directory which is owned by root.
For example if i wanted to change my fan speed
i need to run this command

echo 1 | sudo tee /path/to/fan_mode

.

What I wanted: To make shortcuts so that I can control performance, fan speed, camera, fn lock on the fly, without a password.

The problem: If i used sudoers or doas.conf, files to make it run without password, it would compromise security (at least if i don't fully understand what I'm doing).

The question: What is the best way to do this kind of stuff without compromising security?

What i have tried:
Added this line to sudoers:

%wheel ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/fn_lock
and made a shortcut that runs

sudo /usr/local/bin/fn_lock

and made a script (

/usr/local/bin/fn_lock

) that toggles the contents of the file, between 1 and 0.

Problems with that approach were:

1. I don't really know if this is secure.
2. In the script, I can't run commands as non-root user ( such as notification commands ).
3. it doesn't allow for non-root commands in the script ( like notifications )
4. when i tried using permitting tee for only changing fan_mode file got this (propably bad syntax):

/etc/sudoers:113:73: syntax error
%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/tee /sys/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/VPC2004:00/fan_mode

i don't know if this is the right syntax and i don't want to make tee open for sudo without a password.

Last edited by longshot (2024-04-28 14:44:53)

seth · 2024-04-26 22:48:49

You can drop privileges w/ "sudo -u longshot" and also import or hardcode the relevant environment (eg.$DBUS_SESSION_BUS_ADDRESS), but that's ass-backwards.

Have a script /usr/local/bin/write_device.sh or so that takes a very limited set of parameters,

#!/bin/sh
case $1 in
fn_lock)
    case $2 in
    on)
        echo 1 > /sys/bus/platform/.../fn_lock # or whatever you need here
    ;;
    off)
        echo 0 > /sys/bus/platform/.../fn_lock # or whatever you need here
    ;;
    *)
    ;;
    esac
fan_mode)
    case $2 in
    fast) # or whatever makes sense here
        echo 1 > /path/to/fan_mode
    ;;
    slow)
        echo 0 > /path/to/fan_mode
    ;;
    *)
    ;;
    esac
*)
;;
esac

and allow yourself to sudo that NOPASSWD and sudo it from your other, unprivileged, scripts.

longshot · 2024-04-28 14:44:32

Acually A Great Idea. Thanks

Trilby · 2024-04-28 14:45:41

Wouldn't changing permissions / group-membership of the devices be better? This would have to be repeated each boot (and / or each time the relevant devices are added) but this could most likely be done in a udev rule.

If you do use the wrapper script, make sure it is only modifiable by root. If it's not obvious why this is important, please stop and rethink the whole process.

Last edited by Trilby (2024-04-28 14:46:38)

seth · 2024-04-28 14:51:59

Depends on how sensitive the actual target it - I do that w/ the keyboard LEDs but there might be cases where you want to control what exactly gets written to the device (eg. to prevent you and others from accidentally turning off the fans unconditionally)

longshot · 2024-04-28 20:40:37

Trilby wrote:

If you do use the wrapper script, make sure it is only modifiable by root. If it's not obvious why this is important, please stop and rethink the whole process.

Yes for sure, as this would let anyone escalate privileges before i come back from bathroom.

Trilby wrote:

Wouldn't changing permissions / group-membership of the devices be better? This would have to be repeated each boot (and / or each time the relevant devices are added) but this could most likely be done in a udev rule.

Actually this is interesting. I don't know what exactly do you mean by changing permissions / group-membership of a device. But I'll read more on the subject and udev.

seth · 2024-04-28 20:44:31

https://wiki.archlinux.org/title/Udev#A … se_devices
https://wiki.archlinux.org/title/Udev#L … f_a_device

longshot · 2024-04-28 20:45:33

seth wrote:

Depends on how sensitive the actual target it - I do that w/ the keyboard LEDs but there might be cases where you want to control what exactly gets written to the device (eg. to prevent you and others from accidentally turning off the fans unconditionally)

You are right. However In my case people rarely use my system ( as I use dwm, every windows/mac user think it's broken XD. )
So is there a way that can acually set devices to be controlled without root permissions?

I'll definitely read on that, when i get some free time.

Arch Linux

#1 2024-04-26 21:54:39

[SOLVED] how to run privilaged commands in scripts?

#2 2024-04-26 22:48:49

Re: [SOLVED] how to run privilaged commands in scripts?

#3 2024-04-28 14:44:32

Re: [SOLVED] how to run privilaged commands in scripts?

#4 2024-04-28 14:45:41

Re: [SOLVED] how to run privilaged commands in scripts?

#5 2024-04-28 14:51:59

Re: [SOLVED] how to run privilaged commands in scripts?

#6 2024-04-28 20:40:37

Re: [SOLVED] how to run privilaged commands in scripts?

#7 2024-04-28 20:44:31

Re: [SOLVED] how to run privilaged commands in scripts?

#8 2024-04-28 20:45:33

Re: [SOLVED] how to run privilaged commands in scripts?

Board footer