- How To Run A Command Or Script As Root On Startup / Boot Using systemd or A Cron Job
- How to use systemd to run a command or script as root on boot
- How to use a cron job to run a command or script as root on startup / boot
- How do I run a shell script as root (sudo)?
- 5 Answers 5
- How to make a script run commands as root
- How can I let users run a script with root permissions?
How To Run A Command Or Script As Root On Startup / Boot Using systemd or A Cron Job
How to use systemd to run a command or script as root on boot
To use systemd to run a command or script as root when your computer boots, create a file (as root) called mycommand.service (replace mycommand with whatever you want to call it) in /etc/systemd/system/ .
We can use Nano command line text editor to open / create this file:
sudo nano /etc/systemd/system/mycommand.service
In this file, paste the following:
[Unit]Description=your description
[Service]ExecStart=/path/to/command/or/script
[Install]
WantedBy=multi-user.target
Here, change the Description value to describe what this does, and the ExecStart value to the command or path of the script you want to run as root on startup. Don’t add sudo at the beginning of the command or script, because it runs as root anyway.
Now save the file and exit Nano. In case you’re not familiar with Nano text editor, you can save the file by pressing Ctrl + o , then Enter . Exit by pressing Ctrl + x .
Next, you need to enable the systemd service to run on boot, using the following command:
sudo systemctl enable mycommand.service
Remember to replace mycommand.service with the actual filename you’ve used for this systemd service file. There’s no need to run the systemd service right now, since this is about running it on boot.
If you use this to run a script, make sure to make the script executable ( chmod +x /path/to/script ) or else it won’t run.
This is a very simple systemd unit file that runs only once. These can be a lot more complex, depending on what you need. For example, you could use a command that runs before ExecStart , have it start only after another unit becomes active, have the command run only after another service, e.g. the network service has been started ( After=network.target , while also declaring a dependency to this service using Wants= or Requires= ), and more. Check out the systemd.service and systemd.unit man pages for more details.
How to use a cron job to run a command or script as root on startup / boot
To use a cron job to run a command or script as root when the system boots, edit the root user crontab using:
And at the bottom of the file (it may also be empty), use the following:
@reboot /path/to/command/or/script
Now save the crontab and exit. If you’ve used Nano command line editor to edit it (should be default in most cases), you can save the file by pressing Ctrl + o , then Enter . Exit Nano by pressing Ctrl + x . Don’t add sudo before command or script, because it runs as root anyway, since it’s added to the root crontab.
In case you want to use a particular editor to edit the root crontab, run it like this: sudo EDITOR=editor crontab -e , e.g. for Vim: sudo EDITOR=vim crontab -e , or for Nano: sudo EDITOR=nano crontab -e .
- If you use this to run a script, make sure to make the script executable ( chmod +x /path/to/script ) or else it won’t run
- Use the full path to the command or script, or else it may fail to run (this depends on the Linux distribution you’re using, e.g. you don’t need to use the full path on Ubuntu 20.04 for example)
- If the script ran by cron also includes commands without the full path, you can avoid having to rewrite the script by adding this at the top of the crontab file: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- If you need to delay the start of the command / script, you can make use of the sleep command, e.g.: @reboot /usr/bin/sleep 60; /path/to/command/or/script to run the command or script 60 seconds after the system boots
Which to choose between systemd or a cron job to run a command or script as root on startup / boot, if you have a choice? When in doubt, pick systemd (if it’s available on your system) because it should be more reliable and easier to use.
For example, not every version of cron supports the @reboot option, or the command / script may only run when the system is rebooted, and not when it’s shut down (this didn’t happen for me on Ubuntu 20.04, Fedora 24, Manjaro Linux and Debian 10, but it may happen on some Linux distributions).
It’s also worth noting that @reboot configures a job to run once when the daemon is started. cron is not usually restarted, so this usually corresponds to the machine being booted. For example, Debian (and Debian-based Linux distributions) enforces this, making cron not re-run @reboot jobs when the cron service is restarted. On some Linux distributions, though, restarting the cron service may re-run the @reboot commands.
Also, on Fedora, cron is not installed by default (install it using sudo dnf install cronie ). On Manjaro, cron is installed by default, but not enabled by default (enable it using sudo systemctl enable —now cronie ).
How do I run a shell script as root (sudo)?
I have a SVN repository server that runs under the repository user. I want to run a script after every post-commit action. I wrote a shell script that runs from the hook after every commit. It needs to be run as root. This is why I used sudo in the script, but it didn’t work. Is there any way to run the script as root?
sudo su echo "password" svn export --force file:///home/repository/trunk/ /home/memarexweb/public_html/devel/ chmod -R 777 /home/memarexweb/public_html/devel/
one option could be to disable password but isnt really a good solution maestric.com/doc/unix/ubuntu_sudo_without_password
5 Answers 5
I was searching around and found this useful solution:
Edit your sudoers file to allow running certain commands without a password.
It’s best to split your post-commit script into two parts, one of which will be run through sudo .
loqman ALL=(root) NOPASSWD: /usr/local/bin/svn-postcommit-export
#!/bin/sh sudo /usr/local/bin/svn-postcommit-export
#!/bin/sh svn export --force file:///home/repository/trunk/ /home/memarexweb/public_html/devel/ chmod -R 777 /home/memarexweb/public_html/devel/
starts a new process, owned by the root user. After that process is terminated or stopped, the next line is executed, again as the user that executes the script.
A possible solution is to run the whole script using sudo, and to give that use sudo rights to exectute the scripts. In order to do that, you need to edit the /etc/sudoers file using the visudo command.
In the last line of your script, you’re changing the mode of /home/memarexweb/public_html/devel/ to 777, so user «repository» should be able to copy files to that directory without root privileges. In that case, you don’t need to use sudo or su.
However, changing the permissions of the directory to 777 is dangerous, as it allows anyone to write to that directory and create or delete files. It would be better to change the ownership of the directory to user «repository» and change the mode to 755. If that’s not feasible, you may be able to add a POSIX ACL allowing «repository» to write to the directory. You can Google «POSIX ACL» for more information, or read the man pages for getfacl and setfacl .
This will not work, the best thing is to put only the requires commands in the shell script. And then setuid the script itself, like this (using root):
Like this, executing this script will give you the permissions of the owner of the script (root).
EDIT: As mentioned in comments, stuid is not allowed for shell script. This solution works for executable files only.
How to make a script run commands as root
I’m new to Ubuntu and bash scripts, but I just made runUpdates.sh and added this to my .profile to run it:
if [ -f "$HOME/bin/runUpdates.sh" ]; then . "$HOME/bin/runUpdates.sh" fi
The problem I’m having is, I want the script to run as if root is running it (because I don’t want to type my sudo password) I found a few places that I should be able to do sudo chown root.root
#!/bin/sh echo "user is $" #check for updates update=`cat /var/lib/update-notifier/updates-available | head -c 2 | tail -c 1`; if [ "$update" = "0" ]; then echo -e "No updates found.\n"; else read -p "Do you wish to install updates? [yN] " yn if [ "$yn" != "y" ] && [ "$yn" != "Y" ]; then echo -e 'No\n'; else echo "Please wait. "; echo `sudo apt-get update`; echo `sudo apt-get upgrade`; echo `sudo apt-get dist-upgrade`; echo -e "Done!\n"; fi fi #check for restart restartFile=`/usr/lib/update-notifier/update-motd-reboot-required`; if [ ! -z "$restartFile" ]; then echo "$restartFile"; read -p "Do you wish to REBOOT? [yN] " yn if [ "$yn" != "y" ] && [ "$yn" != "Y" ]; then echo -e 'No\n'; else echo `sudo shutdown -r now`; fi fi
I added the user is to debug, it always outputs my user not root, and prompts for the sudo password (since I’m calling the commands with sudo) or tells me are you root? (if I remove sudo) Also, is there a way to output the update commands stdout in real time, not just one block when they finish? (I also tried with the shebang as #!/bin/bash )
How can I let users run a script with root permissions?
Although not ‘passwordless’, it doesn’t require the user to be given the root password. It can also provide an audit trail of use of the script.
edit: as per comment from Chris, there is an option not to require a password at all for certain commands, see here for details. It can also be set up not to prompt excessively for the password, i.e. one entry of the password can be good for multiple commands over a period of use.
By the way, sudo is built in to Ubuntu and nicely integrated with Gnome. When ubuntu prompts you for your password to do privileged operations, that’s sudo under the hood.
sudo can be configured to not ask for a password. I think it’s called NOPASSWD, but read the sudoers manpage to be sure.
This is dangerous! Don’t do it! Read the article about security issues with suid root scripts; sudo doesn’t solve any of these.
True, a vulnerable script is still a vulnerable script. However sudo does allow you to limit who can run it in a granular way, and provides an audit trail.
Be sure to review the «PREVENTING SHELL ESCAPES» section of the sudoers man page if you go the sudo route.
I would recommend sudo. Be sure to tighten your sudoers file appropriately; and yes, you can allow some commands to be executed with no password being requested.
Good point, however it is not quite true that it is no better. It limits the users who can run the script in a granular way, and provides an audit trail (granted, there are other ways to do that too).
It’s not true that it «isn’t any better» — unless people were suggesting trying to start a shell script with #!/bin/sudo or some other crazy idea. There is a race condition with allowing suid-root shell script (programs that start with #!) execution, which is why exec() on modern systems ignores the suid-root bit for those files. Specifically, if a suid-root shell script exists anywhere on the computer, I can, in a directory I own/can write to, create a link to it, run it, and after /bin/sh starts but before it opens the file, move away the link and put my own file there.
And, in fact, if starting a shell script with #!/bin/sudo actually does work, it could be more secure because a sudoers configuration file could force users to run /bin/sudo /path/to/a/specific/link — sudoers lets you restrict arguments, so this race condition could be avoided (/bin/sudo /path/to/malicious/link would be prohibited by sudoers)