Find the answer to your Linux question:
Results 1 to 8 of 8
I want to run the command nmap from within a shell script driven by cron. Nmap requires root privileges which means my non-root user account normally requires sudo to run ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    May 2007
    Posts
    106

    [SOLVED] nopasswd in /etc/sudoers


    I want to run the command nmap from within a shell script driven by cron. Nmap requires root privileges which means my non-root user account normally requires sudo to run it. In this case the command is running inside a script and therefore it is not possible to supply the required password. I've modified the file /etc/sudoers in an attempt to address this issue. Here's what I've done:

    $ sudo visudo -f /etc/sudoers

    then I modified the contents of the file as follows:


    ...
    # User privilege specification
    root ALL = (ALL) ALL
    charlie ALL = (ALL) ALL
    charlie ALL = (root) NOPASSWD: /usr/bin/nmap


    Then I saved and quit the file. At this point I expected to be able to run the command nmap without being promted for a password, but that did not happen. It seems to have had no effect.

    What am I missing?

  2. #2
    tpl
    tpl is offline
    Linux User
    Join Date
    Jan 2007
    Location
    cleveland
    Posts
    478
    run as root: whynot?
    the sun is new every day (heraclitus)

  3. #3
    Linux Newbie
    Join Date
    May 2007
    Posts
    106
    Quote Originally Posted by tpl View Post
    run as root: whynot?
    security

    Also, that doesn't address the question. Running the script as root would enable the function of the script, but it is only a work-around to the problem.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jan 2009
    Location
    Kansas City
    Posts
    3
    I am just starting to get a grasp of shell scripting. So my advice while it may be valid, may not be the best information.

    In the script you would first run the command whoami and toss it in an if then statement. If whoami = root then execute command, else run command sudo -s, or su root.

    Now the down side to this is that it will probably ask for authentication and you could put the password in your script but it will be stored there in plain text.

    The other way to do it, is just have it owned by root:wheel, toss it in your $PATH, make it executable, then have cron run it as an automated task.

  6. #5
    Linux Newbie
    Join Date
    May 2007
    Posts
    106
    Quote Originally Posted by tlarkin View Post
    In the script you would first run the command whoami and toss it in an if then statement. If whoami = root then execute command, else run command sudo -s, or su root.

    Thanks for the response, but running it as root is not an option for security reasons (as I sated above). I will always be running this via cron as a local user account. The problem is configuring /etc/sudoers so that the command does not request a password (because a password request is interactive and shell scripts are not, of course).

  7. #6
    Just Joined!
    Join Date
    Jan 2009
    Location
    Kansas City
    Posts
    3
    Quote Originally Posted by charlie205 View Post
    Thanks for the response, but running it as root is not an option for security reasons (as I sated above). I will always be running this via cron as a local user account. The problem is configuring /etc/sudoers so that the command does not request a password (because a password request is interactive and shell scripts are not, of course).
    If you make it a launch agent owned by root it should not need sudo in front of it. When I write shell scripts at work I run them as root, though I am doing this on Unix and OS X servers/boxes and not Linux ones.

    There has to be a way to make it a root level daemon and then have it execute at interval and out put a log file. Another option would be to make it interactive but that defeats the purpose of having it automated.

    Oh, wait, so you don't want it running as root, but you just want it to run with no authentication. Editing the /etc/sudoers will work, but I haven't personally done that before.

    You may have to use UID or something besides the short name in the file. Once in terminal do a sudo nano /etc/sudoers

    Add in this line:

    Code:
    
    your_short_name ALL=(ALL) ALL NOPASSWD
    You may need to google if my syntax is right because I haven't really done this before. Back up the file too before you edit it.

  8. #7
    Linux Newbie
    Join Date
    May 2007
    Posts
    106
    Quote Originally Posted by tlarkin View Post
    Oh, wait, so you don't want it running as root, but you just want it to run with no authentication. Editing the /etc/sudoers will work, but I haven't personally done that before.

    You may have to use UID or something besides the short name in the file. Once in terminal do a sudo nano /etc/sudoers

    Add in this line:

    Code:
    
    your_short_name ALL=(ALL) ALL NOPASSWD
    You may need to google if my syntax is right because I haven't really done this before. Back up the file too before you edit it.
    Right, this is exactly my question (namely, what is the proper syntax). I went through the same thought process as you did and I can't find the proper syntax - hence this thread. Check out my initial post and you will see the modification I did to /etc/sudoers.

  9. #8
    Linux Newbie
    Join Date
    May 2007
    Posts
    106
    A friend of mine gave me the answer:

    The syntax I posted in the initial comment was correct. The problem was the order of the statements. Specifically all users related statements such as:

    #User privilege specification
    root ALL = (ALL) ALL
    charlie hostname = /usr/bin/nmap

    must be AFTER the line that looks like this:

    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL


    This is the specific solution for my problem. The key here is that order is important. You can get very granular with this file so the man page is important. A good rule of thumb might be that "user specific stuff should go at the bottom". This is just a rule of thumb, it won't solve every problem, but it's a good start for my issue.

    Thanks for all the suggestions!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •