Allowing a non-privileged User the ability to execute a root level command


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » System Level

Allowing a non-privileged User the ability to execute a root level commandLast Modified: Sep 23, 2015, 3:16 pm
Part of the design of DirectAdmin is to automate root level tasks, while not allowing Users affect things that they should not.
There might be some cases where you want to allow Users to run something as root, but without giving them root access.

In this example, we'll say we want to let User restart proftpd on command.
The action done can really be anything, but this outlines the basics of how it works.
Obviously, you'd need to pick a command that you don't mind them running, possibly more often than you're expecting.

The way we'll accomplish this will be to have a root cronjob scanning for files that the User can create, eg:

/home/username/


1) Create a script at:

/root/check_proftpd_restart.sh

and in it put the code:

#!/bin/sh
COUNT=`ls /home/*/restart_proftpd 2>/dev/null | grep -c restart_proftpd`
if [ "$COUNT" -gt 0 ]; then
   echo "Restarting proftpd, triggered by ";
   ls /home/*/restart_proftpd
   echo "action=proftpd&value=restart" >> /usr/local/directadmin/data/task.queue
   rm -f /home/*/restart_proftpd
fi
exit 0;

and chmod the script to 700.

2) Then create a cron to run as root every minute which calls it:

echo '* * * * * root /root/check_proftpd_restart.sh' > /etc/cron.d/check_proftpd
chmod 600 /etc/cron.d/check_proftpd
/etc/init.d/crond restart


3) Now anytime a User wants to restart proftpd, they can simply create the file /home/username/restart_proftpd, and within 1 minute, the cronjob will find their file, and tell the task.queue to restart proftpd.

It might take up to 2 full minutes for proftpd to get restarted, as the dataskq would need to find the task.queue in the same manner. If this is too long, the echo task.queue commmand could be replaced with a more direct /etc/init.d/proftpd restart command, just be careful of possible piping issues.

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST