Linux run command without sudo

Shell script without using sudo in ubuntu

Totally new to shell script’s and I have a script that execute the following command in order to export my database from Vagrant :

export_folder="/var/www/projects/DatabaseBackup/local" schema="wp" tables="wp_8_options" export_data="mysqldump -uroot -pmy-secret-password --opt $schema $tables > $file_name.sql" sudo vagrant ssh --command "cd $export_folder && $export_data" 

$export_folder : Is the path inside Vagrant, that corresponding on my host computer folder $scema : The database to export from Vagrant mySql server $tables : The tables to export from the selected schema $export_data : The actual mysqldump command that exporting the data sudo vagrant ssh —command «. » : The command that instruct the Vagrant to use the SSH in order to execute another command inside the Vagrant VM. All the code above, run’s from a shell script and until now it works properly. The reason I have write this script is to automate the database exporting when ever I commit something on my Git by using the Git hooks. The problem with the above script, is that I cannot run it via the Git hooks, because it is using sudo . Unfortunatelly the Vagrant requires sudo on my computer in order to get run. Also, you should know, that I am not a Vagrant expert, and the Vagrant got installed on my computer by another coworker, so I don’t know how to modify it in order to run without sudo . Additionally, I don’t really care about this script security because will only run from inside my computer. So the question is, how to run this script, without using the sudo command. What are the options for that ?

Источник

run specific command without sudo inside script running with sudo bash

I have a bash script which I’m running with sudo : sudo NewScript Inside the script, I have a git command which I don’t want to run with sudo . Currently, since the entire script is run with sudo this command also runs with sudo and that’s what I would like to suppress. Is such thing possible or do I need to run the script without sudo and add sudo for every command inside the script other than the git command?

When you run a script with sudo , the script is run basically as if it was run by the root user. So the only solution I can think of is to run your git command with permissions of a specific user like so: sudo -S [username] [git command]

If the latter approach, if sudo required a password, you will be prompted for password for all such commands.

2 Answers 2

Note that sudo runs programs as a different user, not necessarily as root ; root is just the default. So your goal is probably not to run your specific git command without sudo , but rather to run it as a different user than the rest.

If you want you git command to be run by a hard-coded user the_user , just put

in your script (this will not prompt you for your password when the script is run as root).

If you don’t know the user in advance but rather want the git command to be run by whoever called sudo newScript use

instead (thanks to @thatotherguy for that hint).

Источник

Running a command with root priviliges without SUDO and not as root user

How can you run a command (e.g. iftop or similar) that requires root privileges from a non-root user and without using SUDO in front? Alternatively, how can you give root privileges to a user without becoming root? Ideally, I want to run the iftop command in the following way:

[user@pc]$ sudo iftop [root@pc]$ iftop 

2 Answers 2

How can you run a command (e.g. iftop or similar) that requires root privileges from a non-root user and without using SUDO in front?

There are at least 2 methods you can use to allow non-root users use iftop but both of them require root access.

The safer method is to assign cap_net_raw capability to iftop binary:

sudo setcap cap_net_raw+ep "$(command -v iftop)" 

The less safe method is to assign setuid root:

sudo chmod +s "$(command -v iftop)" 

Alternatively, how can you give root privileges to a user without becoming root?

If I add the root setuid, the iftop command will be run with the root user, right? The best solution for me would be to run a generic binary that requires root privileges but from a non-root user and without sudo.

@Adam: yes, it will. The best solution for me would be to run a generic binary that requires root privileges but from a non-root user and without sudo. — why do you need that? If there is a binary you use very often and get tired always typing sudo first the safest way is to assign needed capabilities with setcap , you will not sudo any more. Remember it’s a huge security risk to allow unprivileged users on the system to run binaries that should run as root.

@Adam: I hope you’re at least doing that in a virtual machine or a container and that you’re the only user of that system. If that’s your situation, you’re free to experiment.

That can be done using the set user id file attribute:

# chmod u+s /usr/bin/sleep # sleep 1000& # ps aux | grep -w sleep | grep -v grep root 1234 0.0 0.0 . 0:00 sleep 1000 

THIS IS A BIG SECURITY RISK!

If you wish to run something as someone else (not root , as here), that is possible:

# chown pulse /usr/bin/sleep # chmod u+s /usr/bin/sleep # sleep 1000& # ps aux | grep -w sleep | grep -v grep pulse 1234 0.0 0.0 . 0:00 sleep 1000 

If you are not root you can allow someone else to run a command as you:

# id -nu john # ls -l a.out -rwxr-x--- 1 john users 50923 Mar 25 10:17 a.out # chmod go+rx,u+s a.out # ls -l a.out -rwsr-xr-x 1 john users 50923 Mar 25 10:17 a.out 

(please note the «s» where the «x» was in «rwx. «. That means the set user id flag is set)

That command a.out will be run as john .

Источник

How to run commands without sudo on Ubuntu startup

I have a below command which I have to run manually each time whenever the Ubuntu machine starts or reboots.

This command can only be run without sudo . If I run it as sudo ngrok start —all , it gives error. Due to this I am not able to create script which I can run as systemd service, so that the service automatically starts on every boot and executes the script and the command starts. I have also tried crontab by adding below line to sudo crontab -e but it also didn’t worked.

@muru When I run ngrok start —all , it loads up my portal. But using it in crontab, portal is not loading.

2 Answers 2

At that time, it already runs with root privileges, so there is no need to use sudo . Just run it without it.

You only need sudo when you are logged in, and a program runs using your user account with less privileges; sudo gives such a program root privileges. Processes started during system startup or in (root’s) crontab already run as root.

There is even a solution how to run this as a systemd unit:

So you mean, we can not run commands without sudo at startup.? There is no solution for it or am I missing something?

You are thinking too complicated. sudo runs a program as root. At boot time EVERYTHING already runs as root. Just put that plain command into a systemd unit; there is no need for sudo .

Using old crontab is not going one step further, it’s putting more skeletons into that old musty closet. Use today’s technology, i.e. systemd!

Using @reboot in your crontab is the way to go, but there is something you should know about jobs run through cron :

Jobs run through cron , or at , or batch , aren’t run in the same runtime environment that you have on your desktop. None of your PATH changes, or other environment variable settings are automatically propagated to your cron job. For example, there’s no $DISPLAY , so GUI programs need special treatment (read man xhost ).

One can set environment variables for all one’s cron jobs in the crontab file Read man 5 crontab .

Look at the results of echo «=== set ===»;set;echo «=== env ===»;env | sort;echo «=== alias ===»;alias in each of your environments.

Since the command part of the crontab line is, by default, interpreted by /bin/sh , which has a simpler syntax than /bin/bash , I recommend having command be a call to a bash script (executable, mounted, starts with #!/bin/bash ) which sets up the environment, then calls the desired program.

Источник

Run command without sudo

I’m trying to access a directory using ls but I can access it only using sudo ls for user hduser , whereas, for user avp , I can access it without sudo. How can I access that directory and all its subdirectories without using sudo all the time for the user hduser ? Here are the file permissions:

avp@avp-HP-ENVY:~$ ll /media/avp/ total 24 drwxr-xr--+ 4 root root 4096 Mar 20 12:50 ./ drwxr-xr-x 3 root root 4096 Aug 5 2015 ../ drwxrwxrwx 1 root root 12288 Mar 20 11:40 study/ hduser@avp-HP-ENVY:~$ mkdir /media/avp/test mkdir: cannot create directory ‘/media/avp/test’: Permission denied hduser@avp-HP-ENVY:~$ sudo mkdir /media/avp/test hduser@avp-HP-ENVY:~$ ls /media/avp/test ls: cannot access /media/avp/test: Permission denied hduser@avp-HP-ENVY:~$ ls /media/avp/ ls: cannot access /media/avp/study: Permission denied ls: cannot access /media/avp/test: Permission denied study test hduser@avp-HP-ENVY:~$ sudo ls /media/avp/ study test 

PS: I’ve read posts about executing sudo command without a password, but I don’t want to use sudo command in the first place for file accessing commands (eg. ls, mkdir, etc.). I’ve been using Ubuntu for a couple of years now, but I’m missing something very basic which I want to understand clearly, so I’m asking this question here.

1 Answer 1

One of the principles of Linux is: all is a file. That means that process and directories must be treated as files and all files have a three sets of permissions: for the user, for the group and for the rest of the users.

The permissions are: 1 to execute, 4 to read, 2 to write. So when you see a file with a permission «644» that means that the user (owner) can read and write in it, meanwhile the group and the rest of the users can only read it. If you see a file con permissions «777» (the MS Windows way) that means that all people can do what they want with that file, by the contrary a file with permission «000» is «locked» even for the owner of that file. The command to change permission is «chmod», for instance, create a new file:

 $ touch test.txt $ ls -l test.txt 

you will see something like:

 -rw-r--r-- 1 manuel manuel 0 Mär 20 12:41 test.txt 

that means: «the owner user manuel can read and write this file, the users members of the group manuel can only read this file and the rest of the users can only read it.»

Where those permissions came from? Well they are defined for the «umask», by default umask is 644 for the new files that you create or copy and 755 for dirs when you create a dir with the «mkdir» command, when you type «ls -la» you can see a «d» at the beginning of some lines indicating that the «file» is directory, and needs execution permissions to be accessed for a user: in linux directories are files with execution permissions.

Every time you add a new users to the system with the command:

the command automatically also creates the group «thomas» and creates a dir in the /home directory to him. When you install apache or mysql or postgresql, apt-get also creates a unique user and a group to handle those processes because is dangerous a Windows like approach, where all processes are handled for a single admin user, if someone hack that user that person would have full control of all the system. Of course in Linux the user «root» must runs the smaller number of processes as possible.

You can see the current groups in your system with:

Now, suppose the user «thomas» wants to edit the file test.txt that we just created, he can’t because the file belongs to the user «manuel» and the group «manuel». You have several options, you could change the owner of the file with the command chown:

 $ chown thomas.thomas test.txt 

now the file is owned by the user «thomas» and the group «thomas», but that is a problem because maybe you want to edit the file later and now you can’t. Instead to change the owner, maybe you just need to add writing permissions to the file:

Now the user thomas can write in that file and you too. But now you have the problem that any user can write in the file. The real solution is to give writing permissions to the user and the group:

and then to add the user to the group:

 $sudo useradd -G manuel thomas 

now «thomas» is member of the group «manuel» (a user can be member of many groups) and then he can write in the file but other users can’t.

Now you understand that your dir:

drwxr-xr--+ 4 root root 4096 Mar 20 12:50 ./ 

is a «file» owned by the root user and the root group and hduser doesn’t have permission to execute it. You can do several things, like giving recursively the whole directory to hduser :

$ sudo chown -R hduser /media/avp/ 

or you can add hduser to the group «root» but that would be dangerous.

Источник