Escalating to a root shell

B-Con · 2008-07-12 03:29:29

(Continuing from here.)

Here's my situation:
Basically, I want to be able to escalate to root several times during the script, but not perform all commands as root. And I don't want to have to prompt the user for a password every time root privs are required because the process will be lengthy. The best way to do that would be to escalate the script into a shell with new permissions, but I don't know how.

I figure I have two practical solutions:

a)
In the script, start a new shell that continues execution from that point on.

Basically what I want is:

normal code
[...]
launch root shell
as root, spawn a shell as the original user
continue execution as original user
[...]
on a whim, exit the user shell back to the root shell to perform some root commands
get a new user shell to continue execution as the user
[...]
exit user shell
exit root shell
exit program

But I don't know how to launch a new shell and continue execution from that point.

b)
Fork off a process as root and loop while waiting for commands and send root commands to execute to it through a secure named pipe.

But I need the pipe to be secure (ie, don't want malicious programs to feed their own data into the pipe) but don't know how to secure a pipe.

(Alternative solutions are welcome too, the link points to my original question along these lines.)

I would prefer method b, but I'm really not choosy. I just want to perform building of packages and various setup therefore not as root, but be able to escalate to root for package installation.

Zeist · 2008-07-12 08:29:37

Couldn't you essentially do this by making the script call sudo for the commands that require root access?

Last edited by Zeist (2008-07-12 08:31:13)

lldmer · 2008-07-12 13:03:34

I know only very little about scripting, but sudo has a option -v (validate), that will not run any command, but it will update the sudo timestamp. For this however, I think you will need to figure out how to get the timestamp that is configured for sudo (5 minutes for example), and you will need to run sudo -v before the timestamp is over.

Procyon · 2008-07-12 13:11:53

you could su at the start, and when non root commands are needed su to a user, when root needed again logout user.

ralvez · 2008-07-12 15:54:16

I think that what you need is a top-down approach.
You start the script with the higher level authority (root) and therefore you can su to any user in the system (without using a password) when you need to act as a regular user.

This script will get you started as root.

user=$UID

 if [ $user != 0 ] 
  then
  echo "Sorry. Only the ROOT user can run this program !"
  exit
 else
  echo "###############( Updating Programs )###############"
  echo
  echo "Start: " 
  date
  # su myuser 
  # other commands as user here
 fi

Hope this helps.

R.

Zeist · 2008-07-12 16:16:47

ralvez wrote:

I think that what you need is a top-down approach.
You start the script with the higher level authority (root) and therefore you can su to any user in the system (without using a password) when you need to act as a regular user.
This script will get you started as root.
user=$UID

 if [ $user != 0 ] 
  then
  echo "Sorry. Only the ROOT user can run this program !"
  exit
 else
  echo "###############( Updating Programs )###############"
  echo
  echo "Start: " 
  date
  # su myuser 
  # other commands as user here
 fi
Hope this helps.
R.

Wouldn't that switch over to a user session, effectively halting the script that is running in the root session until the user manually exits from the user session and then continue from the line after it the "su myuser" in the root session as the script is only running in the root session and not in the user session.

ralvez · 2008-07-12 16:23:42

No, it should not. As a user you can have multiple instances of different activities running concurrently. That's one of the characteristics of Unix/Linux.
When he is done acting as a user he can also exit and go back to root again.
Actually, you can test that in your computer. You do not need a script to test how it works because a script is just an automated session of something you can do manually.

R.

B-Con · 2008-07-13 08:09:45

I could, but then I would need the user to manually inform me what user to run the non-root processes as. Having them run it as non-root allows me to grap their UID then immediately escalate to root and continue.

If I start as a normal user and then attempt to escalate to root via:

sudo su

I just get greeted by an interactive root shell and the rest of the script continues executing after I exit the root shell. (Like Zeist mentioned.) But if I run as root and switch to another user

su b-con
touch '/home/b-con/Desktop/test-file'
exit
touch '/home/b-con/Desktop/test-file-2'

then the script executes all the way through but I don't see the files created.

kumyco · 2008-07-17 18:32:55

you could first check to see if you're root
if not, tell the user to run the command as root or recall the script with sudo yourself
then use `su -c'; see the man pages for more info
swiching fully into a new user session may get messy
btw, the script didn't execute all the way through
if you check the user you are after it appears to finish
you should find that you're the user to su'd to..

FeatherMonkey · 2008-07-17 19:10:05

DISCLAIMER: I know nothing about expect, I believe to use it needs careful consideration.

But playing once I have this knocking around.

#!/bin/bash
stty_orig=`stty -g` 
stty -echo 
read -p "Password: " PASS
stty $stty_orig

VAR=$(expect -c "
spawn bash
send \"su\r\"
expect \"Password:\"
send \"$PASS\r\"
expect \"\\\\#\"
send \"cd ~\r\"
expect -re \"$USER.*\"
send \"ls\r\"
expect -re \"$USER.*\"
#send \"logout\"
")

echo "$VAR"

I played once very briefly this prompts for the root passwd, cd's to roots ~ runs a ls there and exits.

Maybe it will help but I wouldn't be using it, as from what I've read people that use expect should know of better ways around it, I don't therefore I can't recommend it.

But using expect I suspect you could achieve what you wish. As for weaknesses strengths that is for others to comment on, I'm afraid.

Bison · 2008-07-18 13:59:50

B-Con wrote:

sudo su

Just an observation here. It seems like it would be better to run sudo -i

Arch Linux

#1 2008-07-12 03:29:29

Escalating to a root shell

#2 2008-07-12 08:29:37

Re: Escalating to a root shell

#3 2008-07-12 13:03:34

Re: Escalating to a root shell

#4 2008-07-12 13:11:53

Re: Escalating to a root shell

#5 2008-07-12 15:54:16

Re: Escalating to a root shell

#6 2008-07-12 16:16:47

Re: Escalating to a root shell

#7 2008-07-12 16:23:42

Re: Escalating to a root shell

#8 2008-07-13 08:09:45

Re: Escalating to a root shell

#9 2008-07-17 18:32:55

Re: Escalating to a root shell

#10 2008-07-17 19:10:05

Re: Escalating to a root shell

#11 2008-07-18 13:59:50

Re: Escalating to a root shell

Board footer