Allow non-root users to run init.d

Some companies do not allow usage of sudo or su – root due to security reasons. E.g.:

I have written a cron job for CentOS Linux that allows non-root users to trigger different init.d executables on their own without using sudo.

User just adds a token (e.g.: httpd graceful) to a trigger file within their home directory and waits for the root cron job. The root cron job picks up the token every two minutes, validates it and then runs the desired init.d script.

This method works on all System V systems and is useful for Apache, MySQL, Samba and many other middleware that has to be installed by root, but used by non-root or unprivileged application administrators. Ok admin, first put following files to the non-root users home directory:

  • Configuration file
  • Empty trigger file
  • Empty log file
  • Cron job as bash script file

The administrator has to ensure, that file permissions and ownership is set properly to avoid abuse. Here is an example from the view of the non-root user peter:

The configuration file contains a list of services and their options. E.g.:

The configuration file allows the administrator (=root) to enable the usage of specific services and options on a per-user basis. The default service for testing purposes is: /etc/init.d/ntpd status

The root cron job is quite simple:

The trigger file is used by the non-root user to add the token. E.g.:

Once triggered, user has to wait for the root cron job which picks up the token:

After execution, cron job clears the token file to avoid any loops.

Configuration file

Cron job (bash script)

Veröffentlicht in Technik Getagged mit: , ,

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

*