Making an executable run as root every time

Mikuro · #1 June 16th, 2008, 05:16 PM

I want to make a simple shell script that I can easily run as root WITHOUT needing to enter my password every time.

I've heard that you can set an executable file to run as its owner all the time, so if you make its owner root, you're in business. I've done this like so, following instructions I've found in several places online:

Code:

sudo chmod 4711 <file>
sudo chown root <file>

But this does not work. After a little investigation I learned that Apple does not allow this for shell scripts anymore for security reasons, but it DOES (supposedly) allow compiled applications. So I made a simple AppleScript to execute the shell script (hard-coded into the AppleScript file with the "do shell script" command), saved it as an application, and repeated the above steps.

Again, it does not work. The applet will not even load. It just flickers in the Dock for an instant and then disappears.

Am I doing something wrong, or is Leopard even more limited? (Most of the tips I've found online seem to be from 10.3 or 10.4.)

Is there any other way to accomplish this without A) typing my password every time, or B) leaving my root password exposed in the source of a script?

artov · #2 June 17th, 2008, 10:13 AM

Ok, this is obvious, but you are already doing it. Sudo. When you run the program
with sudo, you are not prompted for the password, if you have run it short while
ago. Edit file /etc/sudoers to specify how long the time is, who can run the program
etc.

macbri · #3 June 17th, 2008, 08:38 PM

You could have sudo not ever require a password for a certain command with an entry in /etc/sudoers:

Code:

mikuro    ALL= NOPASSWD: /path/to/command

Or for the setuid route, it looks like in Leopard setting the setuid bit isn't enough any more -- the code also has to call setuid(), which is the way it should be, I believe. So for example:

Code:

#include <stdio.h>
int main(void) 
{
    if (setuid(0) < 0)
        fprintf(stderr, "setuid() failed\n");
    else
        system("/usr/bin/whoami");
    return(0);
}

Try that with the setuid bit set and it should do what you want.

I'll spare you the usual security warnings and all that...

Mikuro · #4 June 21st, 2008, 09:09 AM

Thanks a lot, Macbri! That sudoers trick sounds like exactly what I need. I'll make a custom shell script, set its owner to root so nobody can edit it, and then add it to my sudoers file.

The setuid() function also looks promising, but I guess it would require making a C program for it, which would probably just make things more complicated.

michaelsanford · #5 June 29th, 2008, 07:37 PM

macbri's suggestion that "You could have sudo not ever require a password for a certain command with an entry in /etc/sudoers" was the first thing I thought of when reading the post title.

However, you need to be very careful about doing this, as it opens up a huge security hole. If someone sits down at your computer, or logs into it from outside as your user, you've just given them unimpeded root access.

Just something to keep in mind.

Mikuro · #6 June 29th, 2008, 09:11 PM

I still need the password for all commands except the one I specified, though. It seems to work fine. When I do "sudo my/special/script.sh", it works with no password. If I do "sudo <anything else>", I need my password. Since both the sudoers file and my special script are root-owned, nobody should be able to mess with them unless they already have root access.

Or is there something I've overlooked?

michaelsanford · #7 June 29th, 2008, 09:14 PM

There's not really anything you've overlooked, it's just something I wanted to mention, especially for those finding the thread via search.

Though, if the script file were writeable by the hacking user, they could run arbitrary code: good idea to chown and chmod it as you did.