Running script that has sudo commands with sudoers

Question

I wrote a script that helps clean up my downloads and anime, but it won't run without root.

So I tried adding it to /etc/sudoers (edited using techraf's suggestions):

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification


# Cmnd alias specification
Cmnd_Alias FILEPERM_CMDS = /bin/chown, /bin/chmod

# User privilege specification
root    ALL=(ALL:ALL) ALL
myUsernane ALL = NOPASSWD: /media/96e60511-62ca-48ba-bccc-9b365bfcc4e5/Programs/down.sh
myUsernane ALL = NOPASSWD: /media/96e60511-62ca-48ba-bccc-9b365bfcc4e5/Programs/rehamer.sh
myUsernane ALL=(ALL) NOPASSWD: /bin/chown
myUsernane ALL=(ALL) NOPASSWD: /bin/chmod
myUsernane ALL=(ALL) NOPASSWD: FILEPERM_CMDS

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d 

But this doesn't work...

Here's what's inside the script:

sudo chown -cR myUsername:users $downloads $anime >>"$default"logs/own.log 2>&1
echo owned
sudo chmod -cR 664 $anime >>"$default"logs/mod.log 2>&1
sudo chmod -cR 765 $downloads >>"$default"logs/mod.log 2>&1
sudo find $downloads $anime -type d -exec chmod a+x {} \; >>"$default"logs/mod.log 2>&1
echo moded
rm -vrf $downloads*.ignore >>"$default"logs/rm.log 2>&1
echo removed ignored files

If I leave sudo in the script it asks for my password once and does work. If I remove sudo from my script it runs without password promoting, but I still get the Permissions denied errors over and over. How can u fix this?

Answer 1

By adding the following to sudoers:

myUsername ALL=(ALL) NOPASSWD: /path/to/down.sh

You have allowed myUsername to run /path/to/down.sh script with elevated privileges. This means you can issue the following command:

sudo /path/to/down.sh

It would be sufficient to run your whole script with elevated privileges and would not ask for a password. You don't need to put additional sudo for chown or chmod as these commands will inherit permissions from the script (but in this case sudo chown would run without problems, as root has permissions to run all commands without password prompt).

That's one possible way.

---

The other way...

You did not allow myUsername to run chown or chmod in sudoers. If you wanted to run script as a regular user and only allow certain commands to be run as root, you should specify all of them in sudoers for example:

myUsername ALL=(ALL) NOPASSWD: /usr/sbin/chown

your path to binaries might be different

or specify command aliases:

Cmnd_Alias FILEPERM_CMDS = /usr/sbin/chown, /usr/sbin/chmod
myUsername ALL=(ALL) NOPASSWD: FILEPERM_CMDS

This way you could use your script as is.

---

Finally you have specified your permissions under # User alias specification. This is only good practice advice, but this is not what this section is about. You should rather have it added to # User privilege specification.

Have a look at sudoers examples for some common scenarios.

Answer 2

One possibility is to have the script sudo itself. Add this to /etc/sudoers:

myUsername ALL=(ALL) NOPASSWD: /path/to/down.sh

Then add this at the beginning of the script:

#!/bin/bash

# If not already running as root, rerun via sudo
if [ $(id -u) -ne 0 ]; then
    exec sudo "$BASH_SOURCE" "$@"
    exit $? # in case something fails...
fi

As long as the filepath matches the entry in /etc/sudoers, it should be able to transparently rerun itself as root (so you can leave off the sudos in the rest of the script). If it doesn't match for some reason, you'll get sudo's password prompt.