How to retroactively make a script run as root?

Question 1

I'm writing a shell script, that needs to be run with root privileges.

I can check if a user has root privileges with sudo -nv || echo "no sudo", but that doesn't help me, if his credentials are still cached by sudo, but he didn't call my script with it. So I have no way of reacting to a user, not calling my script with sudo.

I could put sudo in front of every command that needs it, so just checking to see if the user has root privileges would be enough, but it seems to me, that there should be a better solution.

I'm looking for a command, that I can put into my script, that asks the user for root privileges and, if provided, executes the rest of the script, as if the user called it with root privileges in the first place.

What I want:

#!/bin/bash
if ! command; then # what I'm looking for
 echo "This script needs root privileges."
 exit 1
fi
mv /bin/cmd1 /bin/cmd2 # requires root

_{Edited 2 times}

Question 2

If the user is running the script, and you want them to sudo every command in the script, I don't understand why they wouldn't just sudo the script. Even if you sudo every command and redirect stdout/stdin/stderr properly, the user still has to enter root credentials either way.

Question 3

"I'm looking for a command, that I can put into my script, that asks the user for root privileges and, if provided, executes the rest of the script," This is exactly what running the script as sudo does. Seems like reinventing the wheel.

Question 4

@cremefraiche If the user runs the script with sudo, that would be completely fine. What I'm looking for is a failsafe if they don't do that. Checking for root privileges like I mentioned above does not ensure, that the user called my script with sudo, just that the credentials are cached. So I'm looking for something, that runs the script as if the user called it with sudo in the event, that he forgot.

Question 5

I understand now, It seemed to me that you were checking if users were sudoers to prevent malicious use, which was hard for me to understand what the problem was. I have now updated my answer to achieve this effect without causing unnecessary lines of code to be run.

Question 6

Test if you are root, and if not, restart with sudo, for example:

#! /bin/bash
if [[ $EUID -ne 0 ]];
then
 exec sudo /bin/bash "0ドル" "$@"
fi

Question 7

I thought about something like that. But I was a bit hesitant. Are there any security concerns? Will read the man page about exec. Didn't need it until now.

Question 8

@Minix it's a shell builtin. Try help exec, or look at the man page of bash or sh. I think this is safe, but I am not sure.

Question 9

probably want to pass the args too: exec sudo /bin/bash "0ドル" "$@"

Question 10

This is probably plenty safe on any system that interprets the #! bangline - provided the proper sudo is in $PATH. If the presumption is that the bangline is interpreted then the /bin/bash bit is not really necessary though - exec sudo "0ドル" "$@" should be enough - and might be beneficial in that on those POSIX systems that dont handle the bangline but still do sudo it would probably still get the original script run with escalated privileges. Where sudo is iffy, POSIX also specs the newgrp command.

Question 11

well, the very first bullet in the shell command language spec reads: The shell reads its input from a file (see sh), from the -coption or from the system() and popen() functions defined in the System Interfaces volume of IEEE Std 1003.1-2001. If the first line of a file of shell commands starts with the characters "#!", the results are unspecified. I think that is a windows thing - POSIX is not all about unix-likes. I never tried to hunt it down, though. Thats also about what the shell itself does with it - not the kernel. POSIX doesnt tell kernels what to do, mostly.

Question 12

 #!/bin/sudo /bin/bash
if ! command; then # what I'm looking for
 echo "This script needs root privileges."
 exit 1
fi

she-bang isn't just for shells. The file is accessed by the kernel - like any executable. The kernel interprets a beginning '#!' an an indicator to exec the first term with subsequent terms as a single argument to the new process. Also to arrange that the script file path is passed to the process as argv[2].

The kernel will to do any advanced quoting or substitutions, merely separate based on space, tab, newline & null.

Question 13

Note that on many systems, that won't work if you need to make it #! /bin/sudo -uroot /bin/bash because the default target user is otherwise not root. As on many systems shebangs allow only one argument after the path to the interpreter.

Question 14

The example works on Linux & BSD. Of course you must configure sudo for your needs. If you modify my answer then it may no longer work (headslap emoji missing). Linux & BSD kernel will examine a script header line like #!/bin/sudo -u root /bin/bash and exec /bin/sudo with argv[1] = "-u root /bin/bash" and argv[2]="/some/path/scriptfile" IOW you can only pass 1 distinct argument (argv[1]) from the script header line

muru muru 77.8k16 gold badges211 silver badges316 bronze badges · Accepted Answer · 2014-12-11 14:38:58Z

20

Test if you are root, and if not, restart with sudo, for example:

#! /bin/bash
if [[ $EUID -ne 0 ]];
then
 exec sudo /bin/bash "0ドル" "$@"
fi

Share

Improve this answer

edited May 23, 2017 at 12:40

Community's user avatar

Community Bot

1

answered Dec 11, 2014 at 14:38

muru's user avatar

muru muru

77.8k16 gold badges211 silver badges316 bronze badges

11

I thought about something like that. But I was a bit hesitant. Are there any security concerns? Will read the man page about exec. Didn't need it until now.

Minix
– Minix

2014年12月11日 14:54:34 +00:00
Commented Dec 11, 2014 at 14:54
@Minix it's a shell builtin. Try help exec, or look at the man page of bash or sh. I think this is safe, but I am not sure.

muru
– muru

2014年12月11日 14:55:21 +00:00
Commented Dec 11, 2014 at 14:55
1

probably want to pass the args too: exec sudo /bin/bash "0ドル" "$@"

glenn jackman
– glenn jackman

2014年12月11日 15:53:10 +00:00
Commented Dec 11, 2014 at 15:53
2

This is probably plenty safe on any system that interprets the #! bangline - provided the proper sudo is in $PATH. If the presumption is that the bangline is interpreted then the /bin/bash bit is not really necessary though - exec sudo "0ドル" "$@" should be enough - and might be beneficial in that on those POSIX systems that dont handle the bangline but still do sudo it would probably still get the original script run with escalated privileges. Where sudo is iffy, POSIX also specs the newgrp command.

mikeserv
– mikeserv

2014年12月11日 18:15:34 +00:00
Commented Dec 11, 2014 at 18:15
1

well, the very first bullet in the shell command language spec reads: The shell reads its input from a file (see sh), from the -coption or from the system() and popen() functions defined in the System Interfaces volume of IEEE Std 1003.1-2001. If the first line of a file of shell commands starts with the characters "#!", the results are unspecified. I think that is a windows thing - POSIX is not all about unix-likes. I never tried to hunt it down, though. Thats also about what the shell itself does with it - not the kernel. POSIX doesnt tell kernels what to do, mostly.

mikeserv
– mikeserv

2014年12月11日 18:31:42 +00:00
Commented Dec 11, 2014 at 18:31

| Show 6 more comments

Stack Exchange Network

How to retroactively make a script run as root?

2 Answers 2

You must log in to answer this question.

Hot Network Questions

How to retroactively make a script run as root?

2 Answers 2

You must log in to answer this question.

Related

Hot Network Questions