How to Allow Non-root Users to Execute a Script with Root Privileges on Ubuntu Without Sudo Password Prompt


2 views

For scenarios where you need non-root users to run specific scripts with root privileges, the setuid bit is a classic Unix solution. However, modern Linux systems (including Ubuntu) typically ignore setuid on scripts for security reasons.


# This WON'T work due to security restrictions:
chmod u+s script.sh

Solution 1: Sudoers File Configuration

The most secure method is to configure sudo to allow passwordless execution of your specific script:


1. Create your script (e.g., /usr/local/bin/admin_script.sh):
#!/bin/bash
# Script requiring root privileges
systemctl restart some-service

2. Make it executable:
sudo chmod +x /usr/local/bin/admin_script.sh

3. Edit sudoers file:
sudo visudo

4. Add this line (replace 'groupname' with your user group):
%groupname ALL=(root) NOPASSWD: /usr/local/bin/admin_script.sh

Solution 2: C Wrapper

For cases where setuid is absolutely necessary, create a simple C wrapper:


#include 
#include 
#include 
#include 

int main()
{
    setuid(0);
    system("/path/to/your/script.sh");
    return 0;
}

Compile with:
gcc wrapper.c -o wrapper_executable

Then set permissions:
sudo chown root:root wrapper_executable
sudo chmod 4755 wrapper_executable

Solution 3: Polkit Authorization

For desktop environments, consider using polkit (formerly PolicyKit):


1. Create a policy file (/usr/share/polkit-1/actions/com.example.admin.policy):



  
    Run admin script
    Authentication is required to run admin script
    
      no
      no
      yes
    
    /usr/local/bin/admin_script.sh
  


2. Create a desktop file to launch it

When implementing any of these solutions:

  • Always validate input if the script accepts parameters
  • Restrict access to the script's directory
  • Consider logging all executions
  • Regularly audit the script for vulnerabilities

For specific privileged operations, consider Linux capabilities instead of full root access:


sudo setcap 'cap_net_bind_service=+ep' /path/to/your/program

In Unix-like systems, the setuid bit allows users to execute a script with the permissions of the file's owner. For root-owned scripts, this means any user can run them with root privileges.

# Create the script
echo '#!/bin/bash
echo "Running as $(whoami)"
# Your root commands here' > /usr/local/bin/myscript

# Set ownership and permissions
sudo chown root:root /usr/local/bin/myscript
sudo chmod 4755 /usr/local/bin/myscript

Setuid scripts are disabled by default in most Linux distributions due to security risks. To enable them in Ubuntu:

# Edit the /etc/sudoers file
sudo visudo
# Add the following line
Defaults !requiretty

A more secure approach is to configure sudo to allow passwordless execution of specific scripts:

# Edit sudoers
sudo visudo
# Add this line (replace 'groupname' with your user group)
%groupname ALL=(root) NOPASSWD: /usr/local/bin/myscript

For modern Ubuntu systems, consider using Polkit (formerly PolicyKit):

# Create a policy file
echo '


  
    Run special script
    Authentication is required to run myscript
    
      yes
      yes
      yes
    
    /usr/local/bin/myscript
  
' | sudo tee /usr/share/polkit-1/actions/com.example.myscript.policy >/dev/null

For more granular control, Linux capabilities can be used:

# Install required tools
sudo apt install libcap2-bin

# Set capabilities on the binary
sudo setcap cap_net_raw+ep /usr/local/bin/myscript