Score:2

Is there something as events in Ubuntu?

in flag

I would like to know if Ubuntu has something like events. I need to run a Jenkins job but Jenkins has no sudo privileges and I dont want to give it to him. But job needs to run some actions which requires sudo privileges. The solution could be to trigger an event which will listen as root user and this event would run the code with sudo privileges. May be I am still confused by privileges but this could be very handy I think. Or something like public root user interface which will be available for other users but will run as root user. Like

root->doSomethingAsRoot()

Hope you understand what I want to achieve. Thanks for help.

PS This question is related to this issue

muru avatar
us flag
Sure, a lot of things use D-Bus for this, e.g., the network manager GUI and command line tools communicate via D-Bus with the network manager daemon, which runs as root.
in flag
Thanks I will look at it.
in flag
Hmm I am searching info about D-bus but I am not sure if it is able to run script under the root user which will be triggered with another user.
raj avatar
cn flag
raj
Can't you just give sudo privileges to Jenkins **for that particular script you want to run**? Sudo is not "all or nothing" solution - exactly opposite, you can specify in very detail, which user can run what.
in flag
The flow looks like Jenkins run git clone. Git repo contains bash script which Jenkins run. And the script runs `rm -rf` at the end. And that is the problem cause I need to delete files with 644 permissions of different user (www-data). Solution could be if I am able to force www-data (Laravel) to create files with 664 privileges.
in flag
How can I add sudo privileges to script for Jenkins? Jenkins could rewrite the script and then do anything. I know sudo can be delegated to command not to script. But in this case command is rm which is little dangerous.
raj avatar
cn flag
raj
@Čamo You can also restrict sudo right to a command **with particular parameters**. So if the script should for example run `sudo rm -rf /some/path`, you can give Jenkins permissions only to run `rm -rf /some/path`. Of course this isn't completely prone to attempts to work around it and remove another directory, but this isn't just straightforward. However, in that case I think the safest approach is to run a setuid binary that runs a hardcoded command `rm -rf /some/path`.
in flag
Is python or php script able to be used as "setuid binary"? (of course not) It drives me crazy...
in flag
I have it. I made endless bash script running as root on background which deletes the directories every 10 seconds. https://stackoverflow.com/questions/68003861/how-to-set-laravel-to-generate-files-with-required-permissions
raj avatar
cn flag
raj
You have already solved your issue another way (and perhaps a better one, if only change of permissions was needed), but I still do not understand what is your problem with binary wrapper around a script to run it as root. You just run the wrapper instead of script. You can still modify the script as you wish and do whatever you want with it. And if you want to run only single command (`rm`) as root, you create the wrapper around that command only and run that wrapper instead of `rm` directly. It's very simple. What is your problem with it?
Score:1
cn flag
raj

If the actions that need to be run as root can be separated into separate processes/scripts, then you can run these processes as setuid root. It is a very handy tool that in my opinion is used far too rarely.

What are setuid processes? Look for example at the passwd command. It can be run by any user, but it needs to be run as root, as it needs to modify password stored in a file that only root can access (/etc/shadow).

How it is done? Look at the permissions of the /usr/bin/passwd binary:

-rwsr-xr-x 1 root root 68208 maj 28  2020 /usr/bin/passwd

The "s" instead of "x" in the owner field indicates that this binary will be run with the rights of its owner - that is root.

This way every binary can be made to run as root (or any other user), independent of who is calling it.

However, on scripts the setuid bit is ignored for security reasons. So to run a script as root you need to use a binary wrapper that will call the script from inside. You can use the following simple C program to create such a wrapper:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/wait.h>

int main()
{
   int rc;
   setuid( 0 );
   rc=WEXITSTATUS(system( "/path/to/your/script" ));
   exit(rc);
}

Compile the program and make the executable setuid root (assuming the executable is called wrapper, do sudo chown root:root wrapper followed by sudo chmod o+s wrapper).

BTW. The script that is run from inside the wrapper does not have to be setuid; only the wrapper needs to.

Edit: from your explanation in the comments it looks that you want to run a particular rm -rf /some/path command as root and are concerned to not accidentally remove anything else. In that case, I suggest just replacing the /path/to/your/script part in the wrapper program above by this very command rm -rf /some/path, and just run the wrapper binary from your script in the place where you would run rm -rf /some/path command. This seems to be the safest approach.

in flag
Dont understand it. Something less complicated should exist. Why S files are not executable directly but from wrapper they are? It does not make sense.
raj avatar
cn flag
raj
@Čamo Only on **binaries** the **s** bit is effective. For **scripts** it is not effective, because there are severe security implications behind it. Therefore scripts need to be run from within a setuid **binary**. The binary already has root rights (because it's setuid), so when it's executing a script, the script inherits these rights. BTW. The script run from inside wrapper does not need to have the **s** bit set. Only the wrapper needs to.
in flag
That is the reason why people dont use it. Is there something like events in Linux? Something which will listen as root and make some action as root?
raj avatar
cn flag
raj
@Čamo using sockets, you can always write a client-server application that will listen on a socket for incoming data and perform any action on that data. Both sides of a socket can run under different users and this is a standard mechanism used by many applications for privilege separation. If you're using for example (unprivileged) MySQL client to ask (privileged) MySQL server to access a database, you're using exactly this. However, it's definitely harder to program sockets than to call a setuid binary :) Probably you can also use named pipes in a similar way.
in flag
What are named pipes? It seems it is impossible for me.
raj avatar
cn flag
raj
@Čamo if you run a command like `mknod /tmp/mypipe p` and give appropriate permissions to both users for `/tmp/mypipe`, processes running on diferent users can communicate by eg. one writing to `/tmp/mypipe`, and the other reading from `/tmp/mypipe`. It is like regular pipe `|` but allows for both processes to be run independently. But I don't think this will be particularly useful in your case.
marko avatar
tw flag
If you are in a graphical environment such as X11, you can invoke `pkexec` from within the script by having the following as the first line in the script: `#!/usr/bin/pkexec /bin/bash` then the rest of it runs as root/admin. User will be prompted for the root password when the script runs.
in flag
I have it. I made endless script which runs as root on the background and it deletes the directory every 10 seconds. May be not so cool but works like a charm. https://stackoverflow.com/questions/68003861/how-to-set-laravel-to-generate-files-with-required-permissions
in flag
The final solution is to use setfacl for parent directory.
Score:0
in flag

My straight forward solution is to run endless background script as root which find and deletes required directories every 10 seconds. It runs as nohup so it is still running although I close the terminal.

while true
do
  find /var/www -maxdepth 1 -type d -name 'deploy-old-*' -exec rm -rf {} \;
  sleep 10
done
Score:0
in flag

The final solution for this issue where Laravel generates the files with chmod 644 is to set up ACL privileges for the parent directory via setfacl.

setfacl -R -dm "g:www-data:rw" $www_new_app_dir/storage 

where all generated files will inherit the acl settings from parent directory. In this case rw for www-data group.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.