[Solved]How you Mix in bash script user and root commands?

New to Debian (Or Linux in general)? Ask your questions here!

[Solved]How you Mix in bash script user and root commands?

Postby bester69 » 2019-10-05 13:36

Hi,
I dont know what is the properly way to get this done;

I need to use in a script some root commands without giving access the user to thoses commands without the scripts....I meant , I dont want to sudoer those commands for the user, only the script..

I have somehing like this.:

script.sh
- user_command1, user_command2
- user_command3
- sudo root_commadn1, sudo root_commadn2
- sudo root_commadn3

------
So, My question is next, How can I run that user script without asking for sudo password (remember, I dont want to sudoer all command in script, only script).
/etc/sudoers
user ALL=(ALL:ALL) NOPASSWD: /home/user/scripts.sh


The problem I have is, If I sudoer the script in order to run it without sudo password, then, all of the within user comand lines are execute as root, and the script will mess a lot of things....

So the only way I found out this to work is by replacing user line commands with su user -c <<commnad>>, but this obligate me to change/edit many lines of all my scripts...

SO I DONT KNOW, HOW TO PROCEED HERE! :( , any help?, thanks
Last edited by bester69 on 2019-10-05 18:33, edited 1 time in total.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1484
Joined: 2015-04-02 13:15

Re: How do I Mix in bash script user and root commands?

Postby bester69 » 2019-10-05 14:12

https://superuser.com/questions/1255613 ... ire-script

PERHAPS, I sould replace all sudo words within scripts with :
echo $admpass | sudo -S *COMMAND*

alias sudo="echo 'XddfC^Q=[' | sudo -S"
$sudo admin_command


and create a sudoer scritpt function that query admin password ($admpass) from a secret root file. :?:
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1484
Joined: 2015-04-02 13:15

Re: How do I Mix in bash script user and root commands?

Postby bester69 » 2019-10-05 18:27

Ok,
I think the more properly solituons is sudoers the whole script, and add SUDO -U to use only in user writing operation

So Ive created an alias function named "suser" to use in the same way than sudo but for writing user operations.:

#!/bin/bash
#
if [ $SUDO_USER ]; then
real_user=$SUDO_USER
else
real_user=$USER
fi

#function suser { sudo -u "$alias_suser" | suser; }
suser () { sudo -u "$real_user" "$@" ; }

pathsnap=/media/cache/.snapflag
suser touch /media/cache/.snapflag
....
sudo mount -t btrfs -o subvolid=0 /dev/sda2 ./xZZ
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1484
Joined: 2015-04-02 13:15

Re: [Solved]How you Mix in bash script user and root comman

Postby CwF » 2019-10-05 21:27

Maybe write out the scripts with an open password, then use shc
CwF
 
Posts: 499
Joined: 2018-06-20 15:16

Re: [Solved]How you Mix in bash script user and root comman

Postby bester69 » 2019-10-05 22:23

CwF wrote:Maybe write out the scripts with an open password, then use shc

Hidding sudo(root password) by using restriceted permissions in a plain text file in root system would be a bad idea? :?:

>> Im considering using a secrets file with root password within it, and only scritps with sudoers can access/call the root password.

These are the code.:
>>ENPGP grab the sudo password (root)


AnyScript.sh (with sudoer)
Code: Select all
#!/bin/bash
#
export ENPGP=$(sudo ~/scripts/secrets.sh XXYY3)
#function sudo wrapper
sudo () { echo "$ENPGP" | /usr/bin/sudo -S "$@" ; }
-------------
sudo command1
sudo command1


secrets.sh
Code: Select all
#!/bin/bash
#
cat /usr/local/share/secrets/secrets|grep $1|awk -F '"' '{print $2}'


secrets( secrets file with root password)
Code: Select all
XXYY1   "rstfss9fdsf,rib9"
XXYY2   "cbGGns2" #Para
XXYY4   "sladkjlajd" #Para true
XXYY5   "FcQ6sddJe9S6" #Para true
Last edited by bester69 on 2019-10-05 23:42, edited 2 times in total.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1484
Joined: 2015-04-02 13:15

Re: [Solved]How you Mix in bash script user and root comman

Postby bester69 » 2019-10-05 23:33

Or another develop that seems to be more worthy.:

sritpt_launcher.sh (with sudoer)
Code: Select all
#!/bin/sh
#
ENGP=$(sudo /home/user/scripts/secrets.sh XXYY7)  su user -c "/home/user/scripts/MyUserScript.sh"

It grabs root password and passes to MyUserScript, which run as user permission.

MyUserScript.sh
Code: Select all
#!/bin/sh
#
echo "$ENGP" | sudo -S ls
unset ENGP

touch /home/user/without_root.txt
sudo touch /home/user/with_root.txt

we execute only once (sudo -S) at the beggining of the script by passing environment root password, then we inmediatly clean for security the environment password (ENGP) , and then, the rest of script is able to use sudo without passing the root password.

This last solution looks pretty great.. :D :o :), I wonder if it has any inconvenient I dont see right now
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1484
Joined: 2015-04-02 13:15

Re: [Solved]How you Mix in bash script user and root comman

Postby CwF » 2019-10-06 01:07

bester69 wrote: CwF wrote:
Maybe write out the scripts with an open password, then use shc


Hidding sudo(root password) by using restriceted permissions in a plain text file in root system would be a bad idea? :?:

It would be 'obfuscated'
https://packages.debian.org/bullseye/shc
CwF
 
Posts: 499
Joined: 2018-06-20 15:16

Re: [Solved]How you Mix in bash script user and root comman

Postby bester69 » 2019-10-06 01:48

CwF wrote:
bester69 wrote: CwF wrote:
Maybe write out the scripts with an open password, then use shc


Hidding sudo(root password) by using restriceted permissions in a plain text file in root system would be a bad idea? :?:

It would be 'obfuscated'
https://packages.debian.org/bullseye/shc

It sounds very interesting, Im going to give it a look.. I would like to just store my secret passwords file in the compiled script to increase obfuscation, with some kind of "select case decoding", plus sudoers invoking
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1484
Joined: 2015-04-02 13:15

Re: [Solved]How you Mix in bash script user and root comman

Postby Dai_trying » 2019-10-06 07:16

would this page help.
Dai_trying
 
Posts: 783
Joined: 2016-01-07 12:25

Re: [Solved]How you Mix in bash script user and root comman

Postby wizard10000 » 2019-10-06 09:34

The way I do it is run the script under the root account and su to an unprivileged user if needed. My backup scripts do this, here's one of them you can use for an example -
Code: Select all
#!/bin/bash

su -l wizard -c "/usr/bin/bleachbit -c --preset"
/usr/bin/bleachbit -c --preset

if mountpoint -q /media/internal
  then
    rsync -aEquX /root /media/internal/laptop/archive --delete
    rsync -aEquX  /etc /media/internal/laptop/archive --delete
    su -l wizard -c "rsync -aEquX --exclude-from=/home/wizard/.config/rsync/exclude  /home/wizard /media/internal/laptop/home --delete"
    su -l wizard -c "rsync -aEquX  192.168.1.102:/media/external/Videos /media/internal --delete"
    su -l wizard -c "rsync -aEquX  192.168.1.102:/media/external/Music /media/internal --delete"
    su -l wizard -c "rsync -aEquX --exclude-from=/home/wizard/.config/rsync/exclude  192.168.1.102:/media/external/server /media/internal --delete"
    chown -hR wizard:wizard /media/internal
    /usr/bin/rclone --config /root/.config/rclone/rclone.conf sync --exclude-from /root/.config/rclone/rclone-exclude --delete-during --drive-use-trash=false --transfers 4 --checkers 8 --contimeout 60s --timeout 300s --retries 3 --low-level-retries 10 --stats 1s /media/internal/laptop remote:private/laptop
    /usr/bin/rclone --config /root/.config/rclone/rclone.conf sync --delete-during --drive-use-trash=false --transfers 4 --checkers 8 --contimeout 60s --timeout 300s --retries 3 --low-level-retries 10 --stats 1s /home/wizard/Documents remote:private/documents
    /usr/bin/rclone --config /root/.config/rclone/rclone.conf sync --delete-during --copy-links --drive-use-trash=false --transfers 4 --checkers 8 --contimeout 60s --timeout 300s --retries 3 --low-level-retries 10 --stats 1s /home/wizard/software remote:private/software
    rclone cleanup remote:
  fi
swapoff -a && swapon -a
exit 0


Hope this helps -
we see things not as they are, but as we are.
-- anais nin
User avatar
wizard10000
 
Posts: 99
Joined: 2019-04-16 23:15
Location: southeastern us

Re: [Solved]How you Mix in bash script user and root comman

Postby bester69 » 2019-10-06 10:42

wizard10000 wrote:The way I do it is run the script under the root account and su to an unprivileged user if needed. My backup scripts do this, here's one of them you can use for an example -
Code: Select all
#!/bin/bash

su -l wizard -c "/usr/bin/bleachbit -c --preset"
/usr/bin/bleachbit -c --preset

if mountpoint -q /media/internal
  then
    rsync -aEquX /root /media/internal/laptop/archive --delete
    rsync -aEquX  /etc /media/internal/laptop/archive --delete
    su -l wizard -c "rsync -aEquX --exclude-from=/home/wizard/.config/rsync/exclude  /home/wizard /media/internal/laptop/home --delete"
    su -l wizard -c "rsync -aEquX  192.168.1.102:/media/external/Videos /media/internal --delete"
    su -l wizard -c "rsync -aEquX  192.168.1.102:/media/external/Music /media/internal --delete"
    su -l wizard -c "rsync -aEquX --exclude-from=/home/wizard/.config/rsync/exclude  192.168.1.102:/media/external/server /media/internal --delete"
    chown -hR wizard:wizard /media/internal
    /usr/bin/rclone --config /root/.config/rclone/rclone.conf sync --exclude-from /root/.config/rclone/rclone-exclude --delete-during --drive-use-trash=false --transfers 4 --checkers 8 --contimeout 60s --timeout 300s --retries 3 --low-level-retries 10 --stats 1s /media/internal/laptop remote:private/laptop
    /usr/bin/rclone --config /root/.config/rclone/rclone.conf sync --delete-during --drive-use-trash=false --transfers 4 --checkers 8 --contimeout 60s --timeout 300s --retries 3 --low-level-retries 10 --stats 1s /home/wizard/Documents remote:private/documents
    /usr/bin/rclone --config /root/.config/rclone/rclone.conf sync --delete-during --copy-links --drive-use-trash=false --transfers 4 --checkers 8 --contimeout 60s --timeout 300s --retries 3 --low-level-retries 10 --stats 1s /home/wizard/software remote:private/software
    rclone cleanup remote:
  fi
swapoff -a && swapon -a
exit 0


Hope this helps -

Thanks, I see

My idea was not having to mess all my scripts too much..I like a lot my own idea of passing the root password throught a secrets functions (invoked with sudo throught a sudoers launcher script), then running the script as a regular user, passing it the root password (PASSADMIN="rootpassword" su user -c Myscript.sh), then execute only once, at the beginning "PASSADMIN | sudo -S" (get password from called funtion), and then inmediatly clean the environment picked root password (unset PASSADMIN).. so none cant intercept the root password environmen..; All thi, keep on in the sameway you had writed down sudo password in keyboard, when you launch script with "sudos" within it as a regular user. But I've read it somewhere, this only works if script flow doesnt get gap times between called sudo, longer than 5 minits (I dont know if this is truth), If that were the case, we could call everytime "PASSADMIN | sudo -S" by using a sudo wrapper funtion like.: sudo () { echo "$ENPGP" | /usr/bin/sudo -S "$@" ; } , that seems to have no problems at all, and avoid you to modify all sudo's in script.

Right Now, Im implementing your way, but using "sudo -u" instead of "su -c", and putting it only in writting operations (where can be changed permissions); Im using an alias funtion called "suser" for (sudo user -c), to get cleanner code, like this.:

btrfshomeupd.sh
Code: Select all
#!/bin/bash
#
if [ $SUDO_USER ]; then
    real_user=$SUDO_USER
else
    real_user=$USER
fi
#function suser { sudo -u "$alias_suser" | suser; }
suser () { sudo -u "$real_user" "$@" ; }

pathsnap=/media/cache/.snapflag
suser touch /media/cache/.snapflag

suser snapper -c home delete  $(cat "$pathsnap")
A=$(suser snapper -c home create -p -d HomeActu)
echo "HomeActualiza con Numero: $A"
suser echo "$A" > "$pathsnap"


So I can run the script both ways,as a user or like admin (with sudoers).

Thanks for help, thanks Wizard :)
bester69 wrote:You wont change my mind when I know Im right, Im not an ...
User avatar
bester69
 
Posts: 1484
Joined: 2015-04-02 13:15


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable