Is there a safer way to request root access? [SOLVED]

JohnBobSmith · 2015-09-04 07:23:17

Greetings,

I have been learning some bash scripting. The first thing I decided I would do is make a script, shown below, to more easily change the brightness of my laptop. What I am wondering is, is there a "best" or safer way to request root access? The uses are endless for me, from shutdown to mounting flash drives with a script.

Current brightness script:

#!/usr/bin/bash

#Change the brightness of the screen.
#There is probably a better way to
#do this that doesnt require root access,
#but this should work for now...

#Check if we are root user.
if [ `whoami` != "root" ] ; then
	echo "Your are not root... Exiting."
	exit 1
else
	echo "You are root, continuing..."
fi

echo "Enter a value for the brightness"
read value
`tee /sys/class/backlight/acpi_video0/brightness <<< $value`
echo "Done."

#TODO: Fix error regarding the parameter for value 
#causing a command not found error, for example...
# Enter a value for the brightness
# 3
# ./change_brightness.sh: line 18: 3: command not found

## EOF ##

Sample output when the script is run:

[dmb@linux-box ~]$ sudo ./change_brightness.sh 
[sudo] password for dmb: 
You are root, continuing...
Enter a value for the brightness
4
./change_brightness.sh: line 18: 4: command not found
Done.
[dmb@linux-box ~]$

To sum up: Is there a simple and safe way to request root access? I dont really enjoying running a script, even my own, via sudo. Also if anyone knows how to solve the command not found bug that'd be great too. Otherwise, I will keep reading up on bash.

Last edited by JohnBobSmith (2015-09-05 13:33:40)

Raynman · 2015-09-04 09:32:00

JohnBobSmith wrote:

To sum up: Is there a simple and safe way to request root access? I dont really enjoying running a script, even my own, via sudo.

Not exactly sure what you want, but you could change "tee" to "sudo tee" in the script (and remove the root check). You can simplify further to an alias (pass value like an argument instead of via stdin):

alias change_brightness="sudo tee /sys/class/backlight/acpi_video0/brightness <<< "

Also if anyone knows how to solve the command not found bug that'd be great too.

Remove the backticks. You're running tee in a subshell and then executing its output ($value) as a command.

JohnBobSmith · 2015-09-04 13:34:43

Many thanks Raynman. I hadn't thought to use aliases for such a simple command. What I want to know is this though: Is using sudo an OK bash programming practice? For instance, a malicious script could trash the entire system. I guess thats why the AUR guide says to read the PKGBUILD and related files before doing anything. So it would be the user's responsibility to ensure their script that requires root access doesnt have bad commands. But when it is needed as in my case, I guess it cant hurt. It just seems wrong for some reason to use sudo in bash/shell scripting.

WorMzy · 2015-09-04 15:10:02

JohnBobSmith wrote:

It just seems wrong for some reason to use sudo in bash/shell scripting.

I agree. Some systems don't have sudo installed, so blindly running "sudo <command>" would result in "command not found" errors, so you would have to check that "sudo" is available, and that the user is authorised to run <command> as root, if not, perhaps fall back on su? But what if the user doesn't know the root password? Then possibly pkexec as a fallback..?

Trying to escalate privileges in a script can get messy fast. In my opinion, it's much simpler to leave the privileged escalation to the user, and tell them to run the script as root, as you demonstrated in your first post.

Of course, if you're the only person who's going to use these scripts, and you know that the sudo binary is always going to be present and configured correctly for your purposes, then blindly calling sudo in the script should be fine.

ewaller · 2015-09-04 15:54:19

I have always liked using the SUID bit for an executable file. In this case, the program runs with the permissions of the owner of the file, not the permissions of the user running it. Unfortunately, for security reasons, using the SUID does not work for scripts by design.
If your want to write scripts, what you can do is to write simple 'C' programs that handle only the steps that require elevated privilege, and then wrap them in a script invoking the inherently privileged programs from the script.

Here is a really simple c program and an example of how to use SUID

ewaller@turing ~/devel/C 1041 %gcc demo.c         
ewaller@turing ~/devel/C 1042 %./a.out 100     

Could not open the file /sys/class/backlight/intel_backlight/brightness
Unable to set brightness.  Check permissions
ewaller@turing ~/devel/C 1043 %sudo ./a.out 100     
ewaller@turing ~/devel/C 1044 %sudo chown root a.out
ewaller@turing ~/devel/C 1045 %sudo chmod +s a.out
ewaller@turing ~/devel/C 1046 %ls -l a.out 
-rwsr-sr-x 1 root ewaller 8568 Sep  4 08:50 a.out
ewaller@turing ~/devel/C 1047 %./a.out 100
ewaller@turing ~/devel/C 1048 %cat demo.c

#include <stdlib.h>
#include <stdio.h>
#include <argp.h>

int WriteSysFile(char* theFileName, int theValue)
{
  FILE *theFile = fopen(theFileName,"w");
  if (!theFile)
    {
      fprintf(stderr,"\nCould not open the file %s\n",theFileName);
      return -1;
    }
  int returnValue;
  returnValue = fprintf(theFile,"%i\n",theValue);
  fclose(theFile);
  return returnValue;
}

int parseIntArgument(char* arg)
{
  char *endptr, *str;
  long val;
  errno = 0;    /* To distinguish success/failure after call */
  val = strtol(arg, &endptr, 10);
  if ((errno == ERANGE && (val == LONG_MAX || val == LONG_MIN))
      || (errno != 0 && val == 0))
    {
      perror("strtol");
      exit(EXIT_FAILURE);
    }
  
  if (endptr == str) {
    fprintf(stderr, "No digits were found\n");
    exit(EXIT_FAILURE);
  }
  if (*endptr)
    {+
      printf ("Non digit in decimal value\n");
      exit(EXIT_FAILURE);
    }
  /* If we got here, strtol() successfully parsed a number */
  // printf("Arg: %s\nVal:%i\nEnd: %s\n",arg,val,endptr);
  return (int)val;
}

int main (int argc, char** argv)
{
  if (argc !=2 )
    exit(EXIT_FAILURE);
  int brightness = parseIntArgument(argv[1]);
  if (WriteSysFile("/sys/class/backlight/intel_backlight/brightness",brightness) < 0)
    printf("Unable to set brightness.  Check permissions\n");

}

ewaller@turing ~/devel/C 1049 %

Edit: Here is the wrapper

ewaller@turing ~/devel/C 1053 %cat wrapper 
#!/usr/bin/bash

#Change the brightness of the screen.
#There is probably a better way to
#do this that doesnt require root access,
#but this should work for now...


echo "Enter a value for the brightness"
read value
./a.out $value
echo "Done."
ewaller@turing ~/devel/C 1054 %./wrapper  
Enter a value for the brightness
1000
Done.
ewaller@turing ~/devel/C 1055 %

Last edited by ewaller (2015-09-04 16:50:19)

JohnBobSmith · 2015-09-05 13:32:57

Thanks guys! That looks really awesome. I am going to have to brush up on my C while I am learning bash, it looks like they work quite well together. It'd also be fun

Topic solved. My original questions regarding the script have been answered, along with many possible solutions being shown.

Arch Linux

#1 2015-09-04 07:23:17

Is there a safer way to request root access? [SOLVED]

#2 2015-09-04 09:32:00

Re: Is there a safer way to request root access? [SOLVED]

#3 2015-09-04 13:34:43

Re: Is there a safer way to request root access? [SOLVED]

#4 2015-09-04 15:10:02

Re: Is there a safer way to request root access? [SOLVED]

#5 2015-09-04 15:54:19

Re: Is there a safer way to request root access? [SOLVED]

#6 2015-09-05 13:32:57

Re: Is there a safer way to request root access? [SOLVED]

Board footer