[Solved] Run certain bash script as root?

[ReaderGuy42]

I "created" (read: found through sleuthing forums) a script that switches the input setting of my second monitor (primary is laptop).

Code: Select all

#! /bin/bash
sudo ddccontrol -r 0x60 -w 17 dev:/dev/i2c-3

When I go through the process of clicking the .sh file called "switch-monitor.sh" I get the normal selection of

Code: Select all

Run | Run in Terminal | Display | Cancel

.

However, since it needs root access to do this, I can't figure out how to give this one specific script root access on its own. I tried putting it in the sudoers.d folder which did nothing; I tried

Code: Select all

chmod

and

Code: Select all

chown

to no effect. I also tried adding a line at the bottom of the sudoers text file via

Code: Select all

visudo

but it didn't let me save anything to that file; it just kept making a sudoers.tmp file.

The script itself works so that's neat, but I need to run it in a terminal and then input my root password.
Any ideas?
Thanks

Here's my

Code: Select all

inxi -Fxxxrz

Code: Select all

System:
  Kernel: 5.13.0-21-generic x86_64 bits: 64 compiler: N/A 
  Desktop: Cinnamon 5.0.7 info: kdocker wm: muffin 5.0.2 dm: LightDM 1.30.0 
  Distro: Linux Mint 20.2 Uma base: Ubuntu 20.04 focal 
Machine:
  Type: Laptop System: Acer product: Aspire A315-51 v: V1.14 
  serial: <filter> 
  Mobo: SKL model: Venusaur_KL v: V1.14 serial: <filter> UEFI: Insyde 
  v: 1.14 date: 10/31/2018 
Battery:
  ID-1: BAT1 charge: 5.4 Wh condition: 5.4/37.0 Wh (15%) volts: 8.4/7.7 
  model: PANASONIC AP16M5J type: Li-ion serial: <filter> status: Full 
CPU:
  Topology: Dual Core model: Intel Core i3-6006U bits: 64 type: MT MCP 
  arch: Skylake rev: 3 L2 cache: 3072 KiB 
  flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx 
  bogomips: 15999 
  Speed: 903 MHz min/max: 400/2000 MHz Core speeds (MHz): 1: 856 2: 794 
  3: 796 4: 797 
Graphics:
  Device-1: Intel Skylake GT2 [HD Graphics 520] 
  vendor: Acer Incorporated ALI driver: i915 v: kernel bus ID: 00:02.0 
  chip ID: 8086:1916 
  Display: x11 server: X.Org 1.20.11 driver: modesetting 
  unloaded: fbdev,vesa resolution: 1366x768~60Hz, 1920x1080~60Hz 
  OpenGL: renderer: Mesa Intel HD Graphics 520 (SKL GT2) v: 4.6 Mesa 21.0.3 
  direct render: Yes 
Audio:
  Device-1: Intel Sunrise Point-LP HD Audio vendor: Acer Incorporated ALI 
  driver: snd_hda_intel v: kernel bus ID: 00:1f.3 chip ID: 8086:9d70 
  Sound Server: ALSA v: k5.13.0-21-generic 
Network:
  Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet 
  vendor: Acer Incorporated ALI driver: r8169 v: kernel port: 3000 
  bus ID: 02:00.1 chip ID: 10ec:8168 
  IF: enp2s0f1 state: down mac: <filter> 
  Device-2: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter 
  vendor: Lite-On driver: ath10k_pci v: kernel port: 3000 bus ID: 03:00.0 
  chip ID: 168c:0042 
  IF: wlp3s0 state: up mac: <filter> 
Drives:
  Local Storage: total: 931.51 GiB used: 492.00 GiB (52.8%) 
  ID-1: /dev/sda vendor: Western Digital model: WDS100T2B0A-00SM50 
  size: 931.51 GiB speed: 6.0 Gb/s serial: <filter> rev: 20WD scheme: GPT 
Partition:
  ID-1: / size: 915.40 GiB used: 492.00 GiB (53.7%) fs: ext4 dev: /dev/sda2 
Sensors:
  System Temperatures: cpu: 41.0 C mobo: N/A 
  Fan Speeds (RPM): N/A 
Repos:
  No active apt repos in: /etc/apt/sources.list 
  Active apt repos in: /etc/apt/sources.list.d/additional-repositories.list 
  1: deb https://typora.io/linux ./
  Active apt repos in: /etc/apt/sources.list.d/official-package-repositories.list 
  1: deb http://mirror.funkfreundelandshut.de/linuxmint/packages uma main upstream import backport
  2: deb http://ftp.fau.de/ubuntu focal main restricted universe multiverse
  3: deb http://ftp.fau.de/ubuntu focal-updates main restricted universe multiverse
  4: deb http://ftp.fau.de/ubuntu focal-backports main restricted universe multiverse
  5: deb http://security.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
  6: deb http://archive.canonical.com/ubuntu/ focal partner
  Active apt repos in: /etc/apt/sources.list.d/protonvpn-stable.list 
  1: deb [signed-by=/usr/share/keyrings/protonvpn-stable-archive-keyring.gpg] https://repo.protonvpn.com/debian stable main
  Active apt repos in: /etc/apt/sources.list.d/signal-xenial.list 
  1: deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main
  Active apt repos in: /etc/apt/sources.list.d/smathot-cogscinl-focal.list 
  1: deb http://ppa.launchpad.net/smathot/cogscinl/ubuntu focal main
Info:
  Processes: 262 Uptime: 3h 54m Memory: 7.65 GiB used: 4.77 GiB (62.4%) 
  Init: systemd v: 245 runlevel: 5 Compilers: gcc: 9.3.0 alt: 9 Shell: bash 
  v: 5.0.17 running in: gnome-terminal inxi: 3.0.38 

[ReaderGuy42]

Ok, I think I solved this on my own. I was reading this forum (https://unix.stackexchange.com/question ... tcut-witho) but had initially had misunderstood it. I accidentally had put the script itself into sudoers.d while I now put a text file there pointing it to the script elsewhere. Then in my keyboard shortcuts I prefixed the command with "sudo" and now the keyboard shortcut automatically triggers the script.

If anyone reads this maybe they can tell me if this was the best way to do this?
Thanks

[AndyMH]

The modern way is to use polkits not sudoers. You would then run your script with pkexec myscript, not sudo myscript.
viewtopic.php?f=47&t=317804
This is an example where I modified the polkit for gparted so it runs without a password. Use the gparted polkit and use it as a template to create one for your script. The changes you make here are global, so every user could run your script without a password. You can create local rules and there is a post somewhere on the forum on how to do this, but the search facilities...

I suspect you could also do this through lightdm. This is my /etc/lightdm/lightdm.conf.d/71-linuxmint.conf (you need to create it):

Code: Select all

[SeatDefaults]
user-session=cinnamon
display-setup-script=/usr/bin/LGmonitor.bsh

This points at a setup script that sets the resolution for my monitor with xrandr. This script is run as root as this is before any user has logged in.

If you decide to have a play with lightdm, make sure you have a mint install stick to hand, just in case you mess up and end up with an unbootable system - you can boot the install stick and undo your changes. The number of times I've had to do this on a fresh install because I forgot to make the script executable...

What happens if you run your script and you don't have the second monitor attached or you have a different monitor plugged in? My setup script tests for the existence of the monitor before doing its stuff as it is running on a laptop.

[ReaderGuy42]

The modern way is to use polkits not sudoers. You would then run your script with pkexec myscript, not sudo myscript.
viewtopic.php?f=47&t=317804
This is an example where I modified the polkit for gparted so it runs without a password. Use the gparted polkit and use it as a template to create one for your script. The changes you make here are global, so every user could run your script without a password. You can create local rules and there is a post somewhere on the forum on how to do this, but the search facilities...

I suspect you could also do this through lightdm. This is my /etc/lightdm/lightdm.conf.d/71-linuxmint.conf (you need to create it):

Code: Select all

[SeatDefaults]
user-session=cinnamon
display-setup-script=/usr/bin/LGmonitor.bsh

This points at a setup script that sets the resolution for my monitor with xrandr. This script is run as root as this is before any user has logged in.

If you decide to have a play with lightdm, make sure you have a mint install stick to hand, just in case you mess up and end up with an unbootable system - you can boot the install stick and undo your changes. The number of times I've had to do this on a fresh install because I forgot to make the script executable...

What happens if you run your script and you don't have the second monitor attached or you have a different monitor plugged in? My setup script tests for the existence of the monitor before doing its stuff as it is running on a laptop.

Ok, thanks for this I'm going to be honest, the chance of bricking my system is keeping me from trying this, since I'm using this PC for work right now. But I'll save your comment and maybe try it some time later.

[AndyMH]

Ok, thanks for this I'm going to be honest, the chance of bricking my system is keeping me from trying this, since I'm using this PC for work right now. But I'll save your comment and maybe try it some time later.

Make sure you have adequate backups, either file level with timeshift (system) and backintime (home) and/or image backups with foxclone or rescuezilla. Preferably file and image backup.

[SimonPeter]

.....

AFAIK, polkit is the best way to automatically run a program as root.
Make sure your program contains no vulnerabilities.
(like the possibility of attacks using $PATH -- the risk of which may be reduced using a proper shebang line)

There is yet another way to do this -- setuid binaries.
setuid binaries are VERY INSECURE if not written properly.

You should write setuid binaries ONLY IF you're confident of your program being safe.
For this, you SHOULD have a good knowledge of C (or C++), POSIX etc.,

It should ignore ALL environment variables and call your script ( possibly through execle(3) ) and with the command /usr/bin/env -i /bin/sh -c 'your-command' .
It should also safeguard against ALL other attacks (like those using $LD_PRELOAD etc.,).

[ReaderGuy42]

.....

AFAIK, polkit is the best way to automatically run a program as root.
Make sure your program contains no vulnerabilities.
(like the possibility of attacks using $PATH -- the risk of which may be reduced using a proper shebang line)

There is yet another way to do this -- setuid binaries.
setuid binaries are VERY INSECURE if not written properly.

You should write setuid binaries ONLY IF you're confident of your program being safe.
For this, you SHOULD have a good knowledge of C (or C++), POSIX etc.,

It should ignore ALL environment variables and call your script ( possibly through execle(3) ) and with the command /usr/bin/env -i /bin/sh -c 'your-command' .
It should also safeguard against ALL other attacks (like those using $LD_PRELOAD etc.,).

For what it's worth the way I did it worked. The program is really just one line (see the first code line in the original post). Not sure if that has a possibility of attack/vulnerability?

[SimonPeter]

For what it's worth the way I did it worked. The program is really just one line (see the first code line in the original post). Not sure if that has a possibility of attack/vulnerability?

Running ANYTHING as setuid has the possibility of attacks/vulnerabilities , unless your setuid binary is written and compiled properly.

What if some local attacker (who is not root) modifies $PATH to look like PATH=/attackers/binaries/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:....
Now, the system will search for binaries in /attackers/binaries/bin before searching anything else.
eg. if you call sed from the setuid binary running in a (non-sanitized) environment with $PATH as above, you'll end up running /attackers/binaries/bin/sed as ROOT (instead of the original /usr/bin/sed).

So, you must take care to sanitize the environment AND write the setuid binary well (a task well-suited only for experts in this field).

BTW polkit is better than the hassle of writing setuid binaries.

[ReaderGuy42]

Running ANYTHING as setuid has the possibility of attacks/vulnerabilities , unless your setuid binary is written and compiled properly.

What if some local attacker (who is not root) modifies $PATH to look like PATH=/attackers/binaries/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:....
Now, the system will search for binaries in /attackers/binaries/bin before searching anything else.
eg. if you call sed from the setuid binary running in a (non-sanitized) environment with $PATH as above, you'll end up running /attackers/binaries/bin/sed as ROOT (instead of the original /usr/bin/sed).

So, you must take care to sanitize the environment AND write the setuid binary well (a task well-suited only for experts in this field).

BTW polkit is better than the hassle of writing setuid binaries.

Not sure if I'm misunderstanding something, but I don't think I actually did anything with setuid? I put something in the sudoers.d folder that points to a script. But neither the thing in sudoers.d nor the script use setuid.

[SimonPeter]

Not sure if I'm misunderstanding something, but I don't think I actually did anything with setuid? I put something in the sudoers.d folder that points to a script. But neither the thing in sudoers.d nor the script use setuid.

I don't think you've done something with setuid (it involves writing code, compiling and setting the setuid bit).
I was just warning you to be extremely careful if you ever write a setuid program.

[ReaderGuy42]

I don't think you've done something with setuid (it involves writing code, compiling and setting the setuid bit).
I was just warning you to be extremely careful if you ever write a setuid program.

Ok, good to know, thanks